37 A SURVEY OF ID TECHNOLOGY - SPRING 2014 - ISSUE 37
EXTERMINATING THE
P SSWORD Enterprises take aim at the unpopular, hard-to-kill authenticator
Some security technologies are sooooo yesterday.
Stay on the cutting edge with the interoperable iCLASS SE® Platform — for access control that’s never out of style. Choose HID Global’s iCLASS SE® Platform — the open, adaptable solution that easily integrates smart cards, mobile devices and whatever tomorrow brings, for greater security, flexibility, simplicity and performance. Now as your access control evolves, your budget will stay optimized and your security will always be in style. Start your iCLASS® SE Platform makeover at hidglobal.com/yesterday-reid © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved. HID, HID Global, the HID Blue Brick logo, the Chain Design, and iCLASS SE are trademarks or registered trademarks of HID Global or its licensor(s)/supplier(s) in the US and other countries and may not be used without permission.
RELIABILITY DELIVERED DEPEND ON CONSISTENT CARD PRINTING WITH DATACARD SECURE ID SOLUTIONS ®
Our printers, supplies and software are engineered and tested to work together so you can dependably deliver IDs on time and on budget. Our commitment to Secure Issuance Anywhere™ means that you can count on Datacard Group to deliver superior reliability and proven technology — anytime and anywhere you need it. Demand the performance you need. Demand Datacard® secure ID solutions. Get started by contacting an authorized Datacard partner near you. Call 1-800-995-0503 or visit www.datacard.com/id
Datacard and Secure Issuance Anywhere are registered trademarks, trademarks and/or service marks of DataCard Corporation in the United States and/or other countries. ©2012 DataCard Corporation. All rights reserved. Datacard and Secure Issuance Anywhere are registered trademarks, trademarks and/or service marks of DataCard Corporation in the United States and/or other countries. ©2014 DataCard Corporation. All rights reserved.
If you want to go far,
go together I’m Wayne Smith, vice president for Tech Systems, Inc. in Duluth, GA. We have been Software House certified for over 15 years. Recently, we were put to the test by our client, Greenville Hospital System. Having been in operation for 100 years, they had grown to be an incredibly complex organization, with 5 stand-alone hospitals, 75 off-site facilities, and a recently opened 4-year medical school. We were able to meet their security challenges head-on using the robust and scalable C∙CURE access control system from Software House. The system had the power and flexibility we needed to get the entire enterprise under control. And, thanks to our Software House training and experience, we were able to ensure the safety of thousands of hospital patients, visitors, employees, and students for years to come. Me and Software House. Together, we’re taking security farther.
Wayne Smith,
Scan this to see the video of my story
Vice President - Tech Systems, Inc.
Duluth, GA Based Software House Integrator
www. swh o use . c o m © 2014 Tyco Security Products. All Rights Reserved.
go far, together.
We develop solutions designed for a secure and convenient consumer experience – across all channels. Solutions that help our customers increase efficiency, boost growth and build next-generation services. Visit our website to watch the 96 second video on how Gemalto is helping our customers to thrive in the digital world.
gemalto.com ENABLING ORGANIZATIONS TO OFFER TRUSTED AND CONVENIENT DIGITAL SERVICES TO BILLIONS OF INDIVIDUALS. LEARN mORE AT GEmALTO.COm
© Gemalto 2014. All rights reserved. Gemalto, the Gemalto logo, are trademarks and service marks of Gemalto and are registered in certain countries. January 2014 - Credit photos: Thinkstockphotos - CC
Trusted and convenient digital services for billions of individuals
CONTENTS
20 Cover Story: Password extermination “Killing the password” is a hot topic among identification and authentication companies and with good reason. The weak authenticator is responsible for a majority of data breaches. This has forced enterprises to explore other technologies for access to resources. Biometrics, digital certificates and risk-based analytics are just some of the technologies that will be used for identification and authentication in the future.
6
Editorial: Passwords won’t die But at least you’ll like their next incarnation
8
ID Shorts News and posts from the web
20
52
6
Spring 2014
28
Host-card emulation enables NFC without a secure element New technology to open up nfc market, but may be thorn in telcos’ side
32
Facebook history verifies online daters Social logins authenticate user-supplied profiles at dating sites
34
British Columbia issues combined id for driver license, health, online use
Exterminating the password Enterprises take aim at the unpopular, hard-to-kill authenticator 22
Recommendations for IAM pros in B2C
24
Password managers address pesky problem
35
BC’s Citizen engagement: a model for future programs
25
The failure of IAM: Small and medium-sized enterprises
38
Eurosmart: 7.2 billion smart cards shipped in 2013, rising in 2014
27
25 worst passwords of 2013
50
28
55
34 British Columbia’s multi-purpose ID
42 Biometric spoofers vs. liveness detection
The Province of British Columbia had a problem; a weak health card with no security elements and a little-used electronic ID. Officials wanted to improve the security of both while also increasing adoption of the e-ID. The solution was to include the driver license into the mix and issue one card for all three purposes.
Everyone may know about the old gummy bear fingerprint spoof, but with new technologies and materials fraudsters are becoming more inventive. New liveness detection techniques are emerging to help combat the rising tide of fraudsters and help companies produce spoof-proof products.
40 Mobile auth will include biometrics and contextual data Keys could be behavioral, passively collected data
50
42 Liveness detection Forces hand of biometric spoofers Still 3D printing, advancing techniques help fraudsters up the ante
52
Gemalto protects Amazon Rainforest
54
Retailers create custom wallets with Airtag
55
Infineon beefs up e-passport chips
56
Identity-as-a-Service 101
58
The new threat on the block
60
Identity and Access Management: What’s in store for 2014?
44 Advancing spoof materials create new breed of attack 47
Datacard acquires Entrust Roadmap will expand mobile ID, simplify PKI
48 The ins and outs of OTP Breaches drive enterprises to these hardware, software tokens
New Jersey lawmakers consider new Medicaid IDs Credentials could prevent millions in fraud
61 Death of the Password? 62
HID buys Lumidigm Efforts will pursue new modalities, expand markets
64
Gartner maps the world of user authentication 65
66
Exploring the ‘Magic Quadrant’
Face + voice = access Facebanx offers multi-modal biometrics for online auth
Spring 2014
7
ABOUT
EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andrew Hudson, andrew@AVISIAN.com CONTRIBUTING EDITORS Liset Cruz, Gina Jordan, Ross Mathis, Will Rodger ART DIRECTOR Ryan Kline ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions. avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2014 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.com
8
Spring 2014
PASSWORDS WON’T DIE BUT AT LEAST YOU’LL LIKE THEIR NEXT INCARNATION ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS
I hate passwords. Being in the industry, I should be an aficionado of ultra long, upper and lower case, special character laden codes. I am for a few of my more important accounts, but then there are the random ones that I don’t use very often. For these I choose from a series of basic ones that I use way too frequently. For me, and the world, consumer password fatigue came to a head in 2013 with a mass outcry demanding the “death of the password.” But as I found researching this issue’s cover story, passwords aren’t likely to go away completely. They are simply too easy to implement and use. Like the cockroach, they are unpopular but they may outlive us all. On the bright side, at least they may be getting smaller (passwords, not roaches). The move to long, complex passwords that must be changed frequently may be waning. This is because next generation authentication will likely be multi-layered, adding a series of other techniques and technologies atop a basic password. Imagine combining a simple PIN or password with other approaches such as biometrics, risk-based analytics, embedded hardware modules and technologies that may not yet exist. Now imagine that many of these additions take place in the background, without the need for the user to do anything extra that could delay the login process. Voilà: Frictionless secure authentication. Risk-based analytics will prove to be key in this new world, enabling behavioral information to serve as factors of identity. A very basic analytic could involve device IDs and IP addresses. When accessing online banking from a known IP address and device, a user name and password is sufficient. But when coming from an unfamiliar location, the authentication system will demand more.
PERSPECTIVE
On the mobile this gets even cooler. Using a device’s embedded GPS, risk-based systems can pinpoint a user’s physical location and then assign identity verification techniques based on the potential risk. Embedded hardware modules are also going to be key. These encrypted chips on mobile devices and computers will store digital certificates that can be used to authenticate access and perform transactions. Think smart card without the credit card format. In the future I would like to authenticate with a biometric to my phone and have that serve as identification to specific apps on the device. Next I could pair my handset to my laptop and have two extra factors of authentication – something I have and something I am – for access to web sites and services. I would still enter a username and password but it wouldn’t need to be complex and unmemorable.
And while this is what I physically “do” to gain access, there would be risk-based analytics running in the background to triple and quadruple check a variety of behaviors and information to ensure my identity at the start and throughout an interaction. We are closer to this secure, frictionless future than we have ever been. Enterprises know that passwords alone aren’t enough and that complex passwords are even worse. The technologies that will strengthen security are increasingly in the hands – or handsets – of consumers. It’s just a matter of enabling them.
Do you know...
who has proper authorization to be in your secured facility?
SAFE
SAFE is a p is s ftwa s luti ha abl s d al ag ci s, D D aciliti s, a d h high s cu i y g a as alig wi h FICAM a d s a li h i physical s cu i y p ati s as i la s physical acc ss. Ou s luti c aliz s id titi s, su s c plia c , a d p id s c ti u us isk ass ss wi h u ha i g ip a d plac xisti g s cu i y i as uc u whil p idi g PIV, CAC, PIV-I alidati pl y s a d c ac s, ID au h ticati , a d physical acc ss audi abili y. Wi h h SAFE s luti , s cu i y a s ca w si pli y h c l pl y s, isi s, d s a d h hi d-pa y id titi s ac ss a gl bal ga izati su ach id ti y has h igh acc ss, h igh a as, h igh l g h ti . Visi
u w bsi
l a
: www.quantumsecure.com/government
Spring 2014
9
ID SHORTS
ID SHORTS
HIGHLIGHTS FROM SECUREIDNEWS.COM
MARTIN HEALTH DEPLOYS IRIS BIOMETRICS FOR PATIENT ID Stuart, Florida-based Martin Health wanted to protect patient privacy, cut down on fraud and abuse, and make sure patients and records were correctly linked together, says Carol Plato, assistant vice president for revenue cycle at the health care system. Various solutions were reviewed, but the decision ultimately came down to biometrics. Deciding on biometrics was only the tip of the iceberg, however, as Martin was then faced with the question of which modality to implement. Fingerprint was ruled out because of hygiene concerns. Palm vein was also dismissed because of cleanliness questions, which led to iris, Plato says. “It isn’t invasive to the patient in any way and we get a picture and the iris all at one time,” she adds. Martin Health has rolled the system out in its three emergency departments, Plato explains. When the patient goes to the triage nurse when entering the emergency department, they are enrolled in the system. The
10
Spring 2014
cameras are used to capture both irises and a photo, which are connected to either a patient’s new medical record or an existing one.
If the patient is already enrolled in the system, they simply look at the camera and their medical record is pulled up in the system. The emergency department also has cameras in exam rooms
ID SHORTS
CALENDAR ISC West April 1–4 Sands Expo & Convention Center Las Vegas, Nev.
APRIL
for those cases when a patient is brought in on a stretcher or is unconscious. Martin has even enrolled children as young as two-years-old into the system. The system will soon be rolled out in a fourth emergency department, and if all goes well, it will be implemented in regular admitting and registration areas as well, Plato says. The system has been in place for 60-days and, thus far, no one has refused to register. The health care provider is using Iris ID cameras and RightPatient software from M2SYS Technology. Iris offers some distinct advantages in the health care environment and is drawing interest, says Michael Trader, president at M2SYS Technology. “Iris is completely contactless and can work on people of all ages,” he adds.
NACCU Annual Conference April 13–16 Sheraton Chicago Chicago, Ill.
CARTES America May 6–8 Mirage Conference Center Las Vegas, Nev.
NFC Solutions Summit 2014 June 3–4 Renaissance Arboretum Hotel Austin, Texas
JUNE
Gemalto announced its entry into the Identity as a Service market with CloudEntr, a solution aimed at helping enterprises manage user identities while enabling secure single-sign-on access to web-based applications. CloudEntr enables users to gain access to all their web-based applications by authenticating just once with a unique login credential. With CloudEntr businesses can also transition from
MAY
GEMALTO UNVEILS CLOUD-BASED ACCESS CONTROL SOLUTION
Market analyst IHS Inc. estimates that some 1.4 billion driver licenses are currently in circulation around the globe, a figure that is bested only by national IDs. The number of smart driver licenses, however, is minuscule representing only 12% of all driving credentials issued by year’s end 2012.
SEPTEMBER
WHAT’S THE HOLDUP WITH E-DRIVER LICENSES?
OCTOBER
sometimes weak user-selected passwords to stronger forms of authentication, including mobile one-time-passwords. CloudEntr offers IT managers a dashboard where they can control access to the various cloud apps the same way they use to control access to servers and applications that they own.
SDW14 June 16–18 Queen Elizabeth II Conference Center Westminster, London, UK
Global Identity Summit September 15 – 18 Tampa Convention Center Tampa, Fla.
Smart Card Alliance Government Conference October 27–29 Washington, D.C.
Spring 2014
11
ID SHORTS
Smart national IDs, or eIDs, are popping up in countries the world over, begging the question, what’s the holdup with e-driver licenses? As IHS explains in a recent report, electronic driving licenses (eDLs) are pivotal in fraud and forgery prevention and can also help streamline administrative processes by adding electronic fine collection or storing traffic violations on the license itself. Smart credentials also allow for other functionalities to be added as needed, including storage of medical information, voter card data or travel documents with ICAO compliance. While the benefits may be obvious, IHS states that eDLs are still a ways out with global penetration expected to grow from 12% at present to just 20% by 2018. There are a few reasons for this sluggish adoption, not the least of which could
be sparse automotive penetration in a number of national populations in the Middle East, Asia and other regions. Asia, for example, currently maintains the largest installed base of eDLs, accounting for nearly 85% of globally issued eDLs in 2012. This statistic is deceiving, however, as Japan is the key market in the region, representing nearly 40% of the world’s installed base of eDLs in 2012. Meanwhile, IHS expects the market for eDLs in North America – where border
12
Spring 2014
relations are a hot-button issue – will be largely driven by Mexico, though the United States and Canada are also projected to contribute. In the United States and Canada, IHS posits that eDL rollouts will be limited to a small number of states, particularly those situated around the United States-Canada border. The expected rise in adoption from 12% today to a projected 20% at the end 2018 is a step in the right direction for the smart credentials, but nonetheless shows a lack of ambition. Even with the projected rise in adoption, driver licenses will still represent the lowest smart card penetration of any issued credential at the end of the forecast period – a fact that, as IHS suggests, represents a missed opportunity. “By adopting smart driving licenses, so much more can be achieved,” says Filomena Berardi, senior analyst of Financial and ID Technologies for IHS. “For example, penalty points and convictions could be automatically recorded. With the addition of biometric data, insurance and health information could also be stored on the card, meaning that if a driver was involved in an accident or pulled over by the police, the information would be readily available. This is merely the tip of the iceberg, and the use cases for eDLs are endless.”
LIEBERMAN SOFTWARE, SECURONIX TO PROVIDE PRIVILEGED IDENTITY RISK Privileged identity management specialist, Lieberman Software, is partnering
with Securonix to provide IT security and compliance professionals with a means to closely monitor and analyze insider threats based on privileged user activities across the enterprise. “Privileged account access and activity is one of the high-risk areas identified by Risk, Compliance and IT Audit professionals, as these accounts hold the keys to accessing the most critical enterprise computing and information assets,” says Richard Weeks, vice president of Alliances at Lieberman Software. “The fact that at most times these accounts lack identity context, as well as highly focused monitoring in the enterprise environment, means that the keys to the kingdom are often left unscrutinized.” The integration allows the Securonix Security Intelligence Platform to consume Lieberman Software’s Enterprise Random Password Manager and Privileged Identity Management events in real-time for automated detection of anomalous user or account behavior as well as advanced privileged identity analytics.
NFC FORUM, IATA PUBLISH NFC GUIDE FOR AIR TRAVEL The NFC Forum and the International Air Transport Association (IATA), announced the publication of a document that will help the air travel industry better understand and evaluate the potential benefits, costs and use cases of NFC technology. The document, entitled “NFC Reference Guide for Air Travel,” is the result of a partnership between the NFC Forum’s Air Transport Task Force and IATA’s Fast Travel Working Group. IATA members offered their expertise regarding the requirements for NFC’s use in various aspects of air transit, while NFC Forum members provided implementation options.
ID SHORTS
“IATA’s Simplifying the Business program aims to set standards and drive innovation projects that enable a seamless passenger journey,” says Stephan Copart, IATA head, strategy, industry services transformation. “NFC holds substantial promise to provide a smoother and faster airport experience for travelers. The NFC Reference Guide for Air Travel will be a valuable guide to help stakeholders identify potential opportunities from adoption of NFC technology.” The document contains a number of detailed illustrations, tables and charts as well as numerous practical applications of NFC as they relate to the air traveler’s journey. A particular area of focus within the document is core use cases of NFC in air transit, including: Secure provisioning, storage and reading of boarding passes on mobile devices “Tap-and-go” access to elite lounges Access to secured areas for staff via their mobile devices Embedded luggage tags to quickly access information and better track progress Parking garage access and payment Airport shops and on board aircraft purchases
DEPT. OF HOMELAND SECURITY FILLS IMPORTANT BIOMETRICS ROLE The Department of Homeland Security (DHS), is leveraging biometrics to remain on the cutting edge of identity verification and to better ensure the safety of the country. There are a number of agencies that process and interact with international travelers – each of whom must be identified as friend or foe. Enter the DHS’ Office of Biometric Identity Management (OBIM), the agency that is taking the reins for biometric identification. OBIM verifies the identities of international travelers to determine whether they pose a threat to the U.S. As reported by the Federal Times, to address Customs and Border Protection needs, OBIM’s systems have 10 seconds to verify a person’s identity and determine whether foreign travelers are one of the 7.2 million known or suspected terrorists on watch lists. Additionally, when State Department employees send fingerprint queries to OBIM for visa applicants, they do so with an expected response time of 15 minutes or less. That deadline is even tighter for Immigration
and Customs Enforcement where the expected turnover is just two minutes. A vast majority of the interactions between OBIM and outside agencies are machine-to-machine with little human interaction. In fact, agency officials estimate that 99% of total identity matches are made exclusively using OBIM systems with fingerprint examiners filling the remaining gaps. According to OBIM’s daily biometric support system located in Arlington, VA, less than 1% of fingerprints – roughly 500 per day – are manually screened into the system. OBIM, which previously operated under the moniker “United States Visitor and Immigration Status Indicator Technology (US-VISIT),” has since its inception amassed a database of some 160.2 million identities and it’s estimated that between 10 million and 12 million unique identities are added to the system each year. OBIM officials insist that the agency’s purpose is not to simply collect biometric data but to store, manage and analyze hundreds of thousands of fingerprints for federal, state and local governments on a daily basis. In response to OBIM’s ever-growing IT systems and data stores, the agency is weighing its options for cloud-based storage. To assist this eventual move, OBIM has collaborated with the National Archives and Records Administration to augment the fingerprint record retention period of 75 years to better serve customer needs. The 2013 OBIM budget was $232 million – a majority of which was put toward IT operations and maintenance. This will increase to $241 million budget for the 2014 fiscal year.
Spring 2014
13
ID SHORTS
NIST: FACIAL RECOGNITION SHOULD GO BEYOND THE BOUNDARIES OF FACE Facial features have long been considered sufficient for recognition and identification of an individual. However, a new report from the National Institute of Standards and Technology (NIST) suggests that the use of facial recognition for identity verification could benefit by adding identifiers beyond the boundaries of the face. The study was published online in the journal of Psychological Science by researchers at the University of Texas
at Dallas and NIST. It details a series of experiments that demonstrate potentially valuable biometric data for facial recognition systems. The recognition study examined three types of images for comparison: a subject’s face and upper body, the subject’s face alone, and the subject’s upper body with the face masked. It is believed that with the addition of the upper body, identification systems can draw upon more data in the search for a match, a sentiment that has been echoed following the NIST study. NIST conducted a series of experiments, wherein researchers showed participants pairs of images of either the same per-
son or two different people, prompting participants to determine if the photos matched or not. The study team purposely selected a subset of image pairs that automated face recognition systems could not recognize. Study participants were presented with two distinct scenarios. The first saw participants compare the original images containing the face and upper body with faces visible. The second case, however, saw participants compare complete images of the upper body and face with another upper body image with a masked face. In both cases, human accuracy remained constant, proving that
CANADA TAPS DATACARD GROUP TO PROVIDE PASSPORT PRINTER TECHNOLOGY The Datacard Group is providing passport printer technology for Canada’s passport issuance program. Datacard’s selection was made by Canadian Bank Note Company Limited (CBN). As the contract holder, CBN is responsible for the design and development of the overall solution including the personalization software, cryptographic components and the design and manufacture of the electronic passports. CBN will leverage Datacard’s PB6500 passport issuance system for central issuance, and Datacard will conduct regional issuance as well as provide a secure, thin film overlay with both overt and covert security elements to protect passport data.
14
Spring 2014
ID SHORTS
participants primarily made matches based on the common thread, the upper body features. “For twenty years, the assumption in the automatic face recognition community has been that all important identity information is in the face,” says Jonathon Phillips, electronics engineer at NIST and a co-author of the study. ”These results should point us toward exploring new ways to improve automatic recognition systems by incorporating information about the body beyond the face.”
LUMIDIGM HELPS AFRICAN COUNTRIES KEEP TABS ON VACCINATION RECORDS Lumidigm’s multispectral fingerprint sensors and Fulcrum Biometrics’ devices are helping stop vaccine waste for millions of unvaccinated African citizens. The prior vaccine delivery system was plagued by ineffective tracking and re-
porting, leading to millions of young children not being properly vaccinated. It is estimated that some 2.5 million children born this year will die before the age of five. Lumidigm is hoping to turn the tide with the help of VaxTrac, a non-profit organization that is supported by the Bill and Melinda Gates Foundation. ”With our VaxTrac system leveraging Lumidigm fingerprint sensors, we have been able to improve immunization tracking which enables us to reduce waste so that we can vaccinate more people and save lives,” says Mark Thomas, executive director of VaxTrac. The vaccination delivery model in many parts of Africa relies on a large staff of health care workers serving overwhelmingly large and remote areas. Without vaccination records to consult, many patients are unnecessarily re-immunized, others are missed altogether and a limited supply of vaccine is wasted. Lumidigm’s multispectral imaging is designed to overcome the fingerprint
capture problems that traditional imaging systems have in adverse conditions. By using multiple spectrums of light and advanced optical techniques, Lumidigm sensors can extract unique fingerprint characteristics from both the surface and subsurface of the skin. “Since the skin of children, especially young children, can be very malleable, we knew from experience that conventional biometric technologies that need a finger pressed against the device do not work,” says Thomas. “The ability that Lumidigm offers to pull fingerprint images from deeper layers produces images less susceptible to distortion and allows us to track vaccinations accurately.” The biometric vaccine registry also enables real-time reporting to streamline supply-chain management and further reduce waste. Lumidigm’s fingerprint sensors made their debut on the African continent in March 2013. Since that time, units have been shipped to Kenya, Uganda and Benin with the largest deployment located in Zambia.
NEW FUJITSU LAPTOP TO SUPPORT PALM VEIN BIOMETRICS The new Fujitsu Celsius H730 laptop is the first to leverage the increasingly popular technology of palm vein biometrics for authentication. It uses biometric security elements to scan the invisible vein pattern in the user’s hand, a pattern that is unique to every person. The biometric solution used in the new laptop is Fujitsu’s own PalmSecure technology. PalmSecure is a non-contact biometric and leverages near-IR rays, which are absorbed by the hemoglobin in a user’s veins. Using image recognition the veins appear black upon scan, allowing the laptop to detect the unique pattern and, if correctly matched, grant authorization.
Spring 2014
15
ID SHORTS
The owner’s vein pattern must be preenrolled into the system, with all subsequent authorizations being compared to that original scan. Fujitsu insists that its PalmSecure technology has an incredibly low false acceptance rate at 0.00008%. The Celsius H730 laptop is scheduled for launch in Europe at a base price of £1330, but there is no word yet regarding a US release.
APPLE SUPPLIER USES FACIAL RECOGNITION TO SCREEN FOR UNDERAGE EMPLOYEES Pegatron, the Taiwan-based manufacturer of Apple’s new iPhone 5C device, implemented facial recognition technology to pre-screen and eliminate the employ of underage workers. Employing underage workers is a rather notorious problem in China where Pegatron is utilizing the biometric solution. The Wall Street Journal reveals that the company’s Shanghai branch is utilizing the facial recognition technology as part of a pre-hiring process. The increased security measures come after the recent death of a 15-year-old at the Shanghai facility. The young man was under the employ of Pegatron for just one month when he died from pneumonia. The legal working age in the country of China is 16, and Pegatron is hoping that the implementation of facial recogni-
16
Spring 2014
tion technology will help to eliminate the employ of illegal aged employees. Pegatron claims that it checks each applicant’s government-issued ID prior to hiring for positions on the assembly line. In addition to checking names against police records, applicants’ faces are also matched to their ID photos using facial recognition technology to single out those using borrowed or stolen IDs. Pegatron claims that the recently deceased employee was able to obtain a legitimate government ID card with his own photo, however identifying information belonged to another individual.
UNBOUNDID UNVEILS UPDATED ID PLATFORM UnboundID released version 4.5 of the UnboundID Identity Data Platform, providing extended capabilities for managing the entire consumer identity lifecycle. The latest version’s capabilities include an end-to-end consumer profile service – supporting profile data aggregation across disparate, heterogeneous identity data stores – as well as key security and performance enhancements to the core identity data platform. Version 4.5’s new features enable the UnboundID solution to act as an “Identity API Gateway,” providing companies with a common consumer profile service built on the standard OAuth 2.0 and Ope-
nID Connect protocols. UnboundID customers – telecommunications, financial services and cloud service providers – can use this update to integrate their customer identity data with a wide range of applications and services leveraging standards-based protocols. “The primary problem we’re trying to solve is having data spread out across various applications and not having a single view of the customer,” says Nick Crown, director of product marketing at UnboundID. “We’re combing several different functions into one single application and product that is focused on the consumer.”
EZ-LINK DEBUTS MOBILE NFC TRANSIT APP EZ-Link, the company behind the contactless stored value ticket for use on MRT, LRT and buses in Singapore, announced “My EZ-Link Mobile”, the company’s first mobile application allowing top up services to a physical stored value card using NFC technology. The new service is an extension of the current EZ-Online service to a mobile platform by allowing NFC smart phone users to transform their phones into a personal top up device for all EZ-Link issued cards. My EZ-Link Mobile enables users to manage up to 10 EZ-Link cards and perform functions like top ups, view card details and card transaction history. To top up, just select the desired value and tap the card to the back of any NFC enabled smart phone. There’s a small transaction fee, but that’s waived for MasterCard holders until May 2014. The app is available now on the Google Play Store, and once downloaded, users will only need to register their personal details, the EZ-Link cards and a credit card to make payment. Only certain NFC
Knowing “who” matters! Sometimes it’s not enough that someone knows a password. Sometimes you need more certainty about who is accessing your facility, your records, your sensitive inventory — certainty that a password or a smartcard cannot provide alone. With patented multispectral biometrics, only Lumidigm can answer who without question. When it’s important to have greater assurance of who is accessing your assets, choose an authentication solution from Lumidigm. Questions? Visit www.lumidigm.com, email us at sales@lumidigm.com or call +1 (505) 272-7057.
AdvantageTM
ID SHORTS
enabled handsets are compatible at the moment, from LG, Samsung and Sony. The company is working to get more handsets certified.
BRINGING BIOMETRICS TO PRISONS THE WORLD OVER Biometrics has established itself as a powerful security and authentication option for the enterprise – and more recently consumer sector – but Belfast-based Core Systems is using the technology in prisons as part of a rewards and mentor networking program. As reported by the Belfast Telegraph, Core Systems’ software drives security systems in a growing number of correctional facilities in the in the U.S. and UK. The company operates from its headquarters in Northern Ireland, working primarily with fingerprints and iris recognition. According to Patricia O’Hagan, who heads the company, Core Systems is in the process of scaling up the production and use of its suite of in-cell products. One of its new devices enables prisoners to contact friends and family, as well as access personal information – albeit in a controlled environment using a communal kiosk or from their personal cell. Core Systems’ solution, dubbed Direct2inmate, an interactive communication and services product for use in prisons, youth detention centers and immigration authorities. According to O’Hagan, the company’s UK installations are helping prisoners to connect with
18
Spring 2014
educational programs and linking them to mentors who help inmates find homes or jobs upon release. The biometric devices can also be used as part of a reward system that enables inmates to access entertainment or music that they can take to their cell. As for accessing their personal information, Core Systems’ biometric offerings enable inmates to monitor their funds. Most prisoners aren’t allowed cash during their incarceration, but they can earn rewards and can receive money from their families. The system gives inmates a secure means to make service requests, order items from the in-house shop and report grievances using electronic forms.
TSA TAPS MORPHOTRUST FOR BACKGROUND CHECKS MorphoTrust USA is providing enrollment services for the the Transportation
Security Administration’s PreCheck application program. TSA PreCheck is an expedited screening program that eliminates the need for pre-approved travelers to remove their shoes, light outerwear and belt. It also enables them to keep a laptop in its case and a compliant liquids/gels bag in a carry-on at select screening lanes. IdentoGO Centers by MorphoTrust provide enrollment services at 300 onairport and off-airport enrollment centers. MorphoTrust is an authorized enrollment provider for the TSA PreCheck application program under its Universal Enrollment Services contract with TSA. The contract consolidates enrollment and registration services for multiple TSA programs, including the PreCheck application, Transportation Worker Identity Credential and Hazardous Materials Endorsement threat assessment programs, into a single service with convenient locations nationwide.
ID SHORTS
HID GLOBAL OPENS NEW WORLD HEADQUARTERS IN AUSTIN, TEXAS HID Global officially opened the doors to its new, $35 million world headquarters located in Austin, Texas. Also serving as HID’s North American Operations Center, the new headquarters features 250,000 square feet of manufacturing, office and warehouse space across 22 acres of North Austin’s Tech Ridge area. The facility was designed to minimize environmental impact, meeting the specifications laid out by the Leadership in Energy and Environmental Design (LEED) Certification. The move to the new facilities will be a gradual one, but HID has begun the first phase of operations at the facility ahead of schedule and expects the new
headquarters to be operating at full capacity by Q3 2015. Plans for the new campus were announced in May 2012. By 2015 HID expects to employ nearly 400 employees at the facility, which will serve as the umbrella for the company’s corporate functions, manufacturing, assembly and test operations, distribution and sales.
CENTRIFY SECURES ACCESS TO ENTERPRISE SOCIAL MEDIA A new identity-as-a-service solution from Centrify protects an enterprise’s social media properties and other shared accounts. Contemporary organizations are often forced to employ shared access to social accounts that are managed on behalf of
the company or brand. To safeguard these properties, the Centrify User Suite, SaaS Edition (“Centrify for SaaS”) protects enterprises’ shared accounts – Twitter, Facebook, LinkedIn, Google+, Instagram, etc. – from not only internal threats and unauthorized access, including access from users who have left the organization. Centrify for SaaS vaults the passwords for social accounts so users never know or need to use the social app’s password. When an approved user needs to log in to one of these social accounts, they simply log in to the Centrify portal as themselves and click on the shared account. At no time do users have access to the shared password, and an IT administrator can even define when users are allowed to access the app, from what location, and
Spring 2014
19
ID SHORTS
can ask them for additional factors of authentication. Additionally, with built-in administrative views and reports that display which employees have access to shared social media accounts, Centrify for SaaS allows organizations to centralize access to cloud applications in the workplace.
HID GLOBAL, TYCO DELIVER FIRST FICAM-COMPLIANT PHYSICAL ACCESS SOLUTION A partnership between HID Global and Tyco Security has produced a FICAMcompliant solution for physical access control systems. The solution leverages each company’s federal identity solutions, providing added value through increased security, cost efficiencies and interoperability. The U.S. General Services Administration (GSA) introduced the new FICAM testing requirements in 2013 as part of a realignment of its Approved Products List with the FICAM roadmap for standardization. Also part of the realignment is a more consistent approach to the deployment and management of identity assurance, credentialing and access control services. The joint venture uses HID’s pivCLASS Registration Engine, which integrates with Tyco’s Software House C•CURE 9000, for PIV and PIV-I card validation, provisioning and de-provisioning. Credentials presented at the door are cryptographically challenged. If the card is authentic and valid, the card identifier is passed to the Software House iSTAR controller, which then performs the authorization check before admitting the cardholder. A special messaging interface ensures that all invalid transactions are captured and forwarded to the C•CURE 9000 PACS event monitor.
20
Spring 2014
MURATA POWER SOLUTIONS POWERS UP WITH SALTO Murata Power Solutions found itself in a precarious situation. The company acquired the Power Electronics Division of C&D Technologies and had to comply with U.S. government International Traffic in Arms Regulations (ITAR) requirements. These regulations implement the provisions of the Arms Export Control Act and are interpreted and enforced by the U.S. Department of State. Compliance with ITAR is required of all manufacturers, exporters, and brokers of defense articles and services or related technical data on the United States Munitions List. This meant the facility had to have a physical access control system that was a bit more robust than the system C&D had in place. Murata opted to go with SALTO to upgrade its physical access control and meet the regulatory requirements. The company now issues everyone a contactless access card. There are internal movement controls in place within the facility for restricted or standard-based compliance areas, so only authorized employees can access certain areas. The SALTO Virtual Network is used at
the company’s remote sites. This system enables stand-alone electronic escutcheons to read, receive and write information to the smart cards. This data is
captured from the cards at SALTO Virtual Network online IP access points located around the sites. The “updating points” upload and download user related information that is then used to permit, control or deny access.
VERIZON, PRIVO PARTNER TO PROTECT CHILDREN ONLINE To kick off its National Strategy for Trusted Identities in Cyberspace pilot, PRIVO has teamed with Verizon to establish the Minors Trust Framework. It consists of a collection of policies and online tools that provide parents control over the online activities of their children. It also helps businesses meet the requirements of the Children’s Online Privacy Protection Act of 1998, or COPPA. Verizon’s cloud and identity management technologies will help enable the framework, which will support the use of login credentials by families, teachers and businesses, says Peter Graham, senior identity strategist at Verizon. As the year progresses more functionality will be unveiled, says Denise Tayloe, president and chief executive officer at PRIVO. Eventually there will be a portal where parents can register and enable
their children to access sites that comply with the Minors Trust Framework. Alternatively, sites can have systems in place so parents can enable access on
ID SHORTS
a case-by-case basis. For example, the Houston Texans have a kid’s fan club and if a child wants to sign up the child would have to enter their parent’s email address and the parent would then enable
the child to create an account. If parents already have a PRIVO account set up, certain sites and apps can be preauthorized as well. “We’re going to enable a global kid identity network,” Tayloe says. “There will be assessment criteria for ID providers and relying parties – and it will ultimately provide interoperable service that can leverage existing parent credentials.” The online identity credentials – delivered through Verizon’s Universal Identity Services – will indicate parental consent, helping to reduce the capture of sensitive information about a child and enabling easier, more secure online access to digital content from computers, gaming consoles and mobile devices.
PRIVO expects 1 million credentials to be issued under the Minors Trust Framework by the end of 2014, with a total of 10 million by the pilot’s end in 2015.
SECUREKEY SUPPORTS ANDROID HCE SecureKey’s briidge.net Connect service will support cloud-assisted, device-based user authentication for mobile NFC payments and other proximity transactions made using Google Android’s new Host Card Emulation protocol. A new feature of the recently released Android 4.4, Host Card Emulation enables any Android mobile phone to act as a contactless payment or identity card without requiring a built-in secure element to store and protect the card data. The strong, multi-factor authentication provided by briidge.net Connect offers banks and other card issuers the flexibility in card data security with or without a hardware secure element and regardless of where the data is stored – in the cloud, on the mobile device or both. The solution supports emulation of the full range of common payment card brands.
DATACARD, MORPHO ISSUING INTERPOL TRAVEL DOCUMENTS
GOTRUST LAUNCHES FIRST FIDO READY MICROSD
Datacard Group is partnering with Morpho to support the Travel Document Initiative for INTERPOL, the world’s largest international police organization that works across borders to help prevent crime and enhance worldwide security. Morpho is providing the secure ID management and document production solution used by INTERPOL in the issuance of electronic travel documents to its officials. Datacard is supplying its 3D laser engraving technology for these next generation travel documents.
FIDO Alliance member, GOTrust’s microSD is among the first certified FIDO Ready products to hit the marketplace. The FIDO microSD will work with 99% of existing laptops and personal computers, as well as the 1 billion Android devices currently deployed. It supports FIDO login and includes 8GB memory capacity for user storage. Providing portability from device to device, just one microSD can enable many devices and work for all sites that require or accommodate FIDO authentication.
Spring 2014
21
EXTERMINATING THE
P SSWORD Enterprises take aim at the unpopular, hard-to-kill authenticator ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS
22
Spring 2014
The American public may not agree upon much in 2014 but one thing that people can get behind is an unadulterated disdain for passwords. They are either too numerous, too hard to remember or too easily stolen. Passwords pretty much suck. This has led to a lot of talk on the death of passwords. But let’s get one thing out of the way: the password is not likely to die off completely. They are the cockroaches of the authentication and identity world, annoying, dirty and ever present. Passwords will remain a factor of authentication but the reliance on this outdated modality is likely to lessen as time goes on and as other systems emerge to better secure systems and devices. Also, instead of 10-character passwords – with upper and lowercase letter, digits and special characters – simpler passwords may well become the norm combined with other types of authentication. But there’s work to do before enterprises make that move. Systems need to be created, standards need to be accepted and consumers need to be educated so that better identity and authentication services can succeed.
THE PROBLEM WITH PASSWORDS Twenty-years ago passwords were a fine authentication tool, says Kenneth Weiss, developer of the token-based authentication technology that became RSA’s SecurID and now founder and CEO at Universal Secure Registry. “You only used them to log on to one or two systems,” he adds. Weiss himself admits to having a passwordprotected document where he keeps tracks of his various user names and passwords – a list numbering more than 30. “No one is able to memorize all these passwords, it’s absurd,” Weiss says. While some may say cockroaches don’t serve a purpose, they do clean up messes. Similarly, passwords, while clunky, serve a function as well. “When you’re talking about organizations that don’t have much of an identity and access management infrastructure, user names and passwords might be fine because what they’re protecting might not be that valuable,” says John Zurawski, vice president of marketing at Authentify. User names and passwords are also ubiquitous. “No matter what device I’m using I can call up a web page, enter a user name and password and gain access,” Zurawski adds. As much as passwords are dismissed, they work so long as they’re remembered. “They will remain the mainstay in browser-based systems because they make a
Spring 2014
23
Recommendations for IAM pros in B2C Forrester Consulting’s report, “To Increase Security And User Trust, Embrace A Federated Consumer Identity Model,” spells out a series of recomendations for business to consumer identity providers. To begin, recognize the choice you want to make regarding your identity and authentication infrastructure. The three choices are: Stay as you are and manage your own siloed authentication structure, risking serious breakdowns in user engagement and security Become a subscriber of a third-party identity provider, outsourcing identity the way many already outsource payment Become a cloud identity services provider, making the service more “sticky” and monetizable. Next, be honest about your security stance around user login and recovery. The first step to admitting you have a security problem is acknowleging the “security theater” present in your identity and authentication strategy. If the strategy involves only passwords and security challenge questions, don’t be so sure that high security standards are being met. Users can and do undermine efforts, both by choosing passwords that meet policy but don’t have a high degree of strength (such as “p@55w0rd”) and by reusing passwords from other accounts on your site. Relying on static secrets is still a single-factor solution, no matter how many “things the user knows” are required. Brainstorm identity providers that address the populations and credential strengths you need. If your organization outsources other sensitive business functions such as human resources apps for employees or payment systems for customers, it should be able to consider outsourcing authentication and other related aspects of user management. But first you have to find one or more suitable identity providers that are likely to be securely authoritative for what you need to know.
lot of sense and are quick and easy,” says Dimitri Sirota, senior vice president of Business Unit Strategy at CA Technologies. The problem with passwords is that enterprises fail to protect them, says Jamie Cowper, senior director of worldwide marketing and business development at Nok
24
Spring 2014
Nok Labs. This isn’t just a problem with passwords either. Encryption seeds when left unprotected in databases can lead to corruption of two-factor authentication systems, as witnessed in the RSA hack of 2011. “The biggest issue lies with these password databases – a concentration of
numerous assets at one point of risk – and the inability of anyone to properly secure it,” he adds. All it takes is one database breach because consumers tend to recycle the same user names and passwords for multiple accounts. “Everyone is gaming the system and everyone is losing when it comes to identity and access management,” says Eve Maler, principal analyst serving Security & Risk Professionals at Forrester Consulting. The vast majority of consumers have multiple accounts on multiple web sites and keeping track of all these credentials has them struggling, according to a Forrester Consulting report titled, “To Increase Security And User Trust, Embrace A Federated Consumer Identity Model.” When choosing passwords at the time of account setup, at least 54% of respondents told Forrester that they pick something they will remember while also meeting the site’s password policy requirements. “Of course, the main goal of password policies is to force users to choose passwords that are not as easily guessable, or calculable from stolen hashed versions, by attackers,” the report states. The unfortunate side effect is that it renders passwords unmemorable. To counter this memory challenge, some 61% of consumers now reuse their passwords. U.S. survey respondents reported an average of nearly 19 online accounts but fewer than 11 distinct passwords over those accounts. It is like a do-it-yourself single sign-on, making it easier for a user to remember the login by sharing it across a series of frequently used sites. The fallacy is that it makes all the sites vulnerable, because
a hacker can use the one shared secret to compromise the entire series of accounts. There are also issues trying to recover forgotten passwords, Maler says. Security questions don’t provide adequate protection and more often consumers are providing fake answers to the questions. Later when they try to recover a password
they can’t remember what answer they provided. Federated identity is a possible fix to password woes, but these solutions have too often failed when it comes to privacy and security, Maler says. These schemes typically rely on usernames and passwords for access but frequently mandate that
consumers give up sensitive information, email addresses, friend lists and other personal data. “There is room for federated identity when you inject privacy and security,” she adds. “Federation and strong authentication pairs well and users are signaling that they are ready.”
Password managers address pesky problem Web browser form fills, password-protected documents and the Post-It note are a couple of common ways people keep track of passwords. Unfortunately, they’re all are low-tech and insecure. Password management software is emerging as a solution for consumers and enterprises to keep track of complicated passwords, and at times, create them. LastPass started off on the consumer side of things but now has an enterprise version for corporate clients, says Amber Gott, marketing manager at the company. Users download the LastPass software and create an account. The solution integrates with the Web browser and then encrypts and stores the individual’s user names and passwords in the cloud with the login data only being decrypted locally. LastPass also enables individual’s to use the system to create complex passwords. When creating a new account on a site, LastPass will offer the option of creating a
complex password and then storing it in the vault too.
access. Administrators can provision access, enforce policies and track usage.
LastPass works on all major computing and mobile operating systems as well as the major Web browsers, she says. Users can also add different multi-factor authentication solutions for added security.
Other services encrypt and store the credentials on the user’s devices rather than in the cloud.
The enterprise version integrates with Active Directory and other network solutions. IT administrators can push the solution out to users who then create an account and use it for
The 1Password offering consists of an app and Web browser extension, says David Chartier with AgileBits, creator of 1Password. After a user installs the app and browser extension, 1Password asks to save the credential info for the different sites visited.
When creating a new login for a site, it will offer to generate a new, complex password for the user. When returning to a site 1Password will automatically log the user back in with the stored credential information. Form fill and new user profile creation can also be done in just a couple of clicks, Chartier says. All the information is securely stored on the consumer’s computer or mobile device. 1Password is available on Windows, Mac, iOS and Android devices.
1Password has an enterprise version as well. Users can create DropBox accounts that will enable passwords to be shared across users. This same functionality enables users to synch their mobile devices to their computers. 1Password doesn’t store any user data, the consumer is in control, Chartier says. “We don’t have any information on our customers,” he explains. “We don’t even have analytics on what operating systems they are using.”
USERS ARE REUSING PASSWORDS ACROSS MULTIPLE ONLINE ACCOUNTS TO ADDRESS THE MEMORY CHALLENGE 18.6 CANADA 14.0 U.K. 14.9 AUSTRALIA 12.3 U.S.
How many distinct online accounts do you have at websites? (Average number of accounts)
How many distinct passwords do you use to log in to these online accounts thinking about the possibility of choosing to use the same password at multiple websites? (Average number of passwords)
10.4 8.3 U.K. 9.6 AUSTRALIA 7.8 U.S.
CANADA
Source: A commissioned study conducted by Forrester Consulting on behalf of SecureKey Technologies, September 2013
26
Spring 2014
As it stands, companies aren’t willing to accept social login credentials for access, Maler says. “Financial institutions don’t trust anyone else,” she adds. Still, many enterprises are laying the groundwork for these federated models by implementing single sign-on systems that enable access to devices as well as traditional and cloud-based networks, says Garret Grajek, chief technology officer at SecureAuth. But these privacy-enhancing, convenient and more secure identity systems don’t exist for the masses.
A GLIMPSE AT THE FUTURE Discussions around companies becoming identity providers have emerged as a possible solution. Consumers would pay a fee, undergo some type of identity vetting and then receive a high-assurance credential that could be used to provide identity online. Relying parties – banks, retailers and government sites – would then accept the credentials for access. This is a vision for the identity ecosystem of the future. “The identity provider becomes high touch through single sign-on and the users and relying parties benefit,” Maler says. There are many obstacles to realizing this future identity model but one of the largest is liability. Who is liable if an individual’s credential is fraudulently used or if a credential is given to the wrong person? Maler suggests looking at the payment card market as a model. “Companies outsource liability for payment data so it may also be viable for identity data,” she explains.
ANOTHER TYPE OF AUTHENTICATION MODEL
The failure of IAM: Small and medium-sized enterprises Identity and access management has focused on large systems and enterprises, leaving small and mid-sized businesses on their own, says Francois Lasnier, senior vice president of identity and access at Gemalto. This means that smaller companies haven’t had the ability to deploy proper systems. As the benefits provided by these systems has increased, small and medium-sized businesses are finding it necessary to deploy an identity and access management system and are looking to the cloud to do so, Lasnier says. Cloud-based identity and access management systems are more scalable than their server-based counterparts and enable enterprises to easily integrate server-side apps as well as the increasingly popular cloud-based services. More enterprises are switching to cloud-based apps that enable access from anywhere an Internet connection can be established. Making sure employees can easily and securely access all the necessary applications can be a challenge, but it’s one that a cloud-based identity system can provide, Lasnier explains. IT administrators can point a cloud-based identity and access management system to an identity directory and then begin to provision access and rights. These systems provide federation and single-sign on for the users as well as the ability for multifactor authentication, Lasnier says.
Consumers and employees are accustomed to doing certain things in order to gain access to mobile devices, computers, networks or cloud resources. Sometimes it may be as simple as a user name and password, but other times it might involve entering a onetime passcode from a token or smart phone
Spring 2014
27
app. In other cases it might even involve a smart card or a biometric. The growth of mobile is pushing in a new direction as these prior approaches have proved to be less suited for handsets and tablets. Providers are exploring risk-based and adaptive authentication technologies. “Authentication shouldn’t be tied to any one modality,” says Grajek. “It should be abstracted and then you determine what you want to do.” This adaptive authentication model is what SecureAuth is providing, offering 21 different methods of authentication. Consumers or employees would enroll into a system and choose the type of authentication they would like to have available. Upon returning to that system,
and depending on the transaction, the relying party would prompt for some type of authentication based on the risk. “If you determine that someone you know in the U.S. is trying to access information from a device in China then you would prompt for the higher levels of authentication,” Grajek explains. CA’s Sirota concurs that risk-based analytics and the use of “big data” will increase for authentication events. “In the background you’ll have continuous monitoring of who is accessing what information,” he says. “Analytics will churn and determine how to challenge users and present them with a secondary challenge if necessary.” The advancement of these analyticbased systems could eventually be the nail
in the coffin of passwords, says Cowper. “They don’t put a lot of validity in the password itself, the validation comes from the user’s behavior,” he says.
MOBILE BRINGS MORE CONCERNS Mobile adds yet another layer of complexity to the fold. In the enterprise world, the employee isn’t always sitting in an office at the same computer to access resources. Sometimes they’re on a laptop in a hotel, sometimes using a smart phone and increasingly, a tablet. Device authentication is an option, but all possible devices need to be registered before they can be recognized.
USERS ARE BEGINNING TO EXPRESS WILLINGNESS TO USE STRONGER AUTHENTICATION What are the three actions you are most willing to take to increase your own online security and privacy? 27%
Locking my mobile phone with a PIN so that others can’t use it
38% 46% 41% 26% 32% 24% 22%
Using biometrics, such as fingerprint or face recognition, to unlock specific accounts
Using biometrics, such as fingerprint or face recognition, to unlock my phone
20% 20%
U.S.
12% 18%
Canada U.K.
Using an extra one-time code sent to my mobile phone or generated through a mobile app in addition to a password
19% 16% 27% 30%
Australia and New Zealand
Source: A commissioned study conducted by Forrester Consulting on behalf of SecureKey Technologies, September 2013
28
Spring 2014
Loading digital certificates on to each device is one solution but they have to be properly managed, says Authentify’s Zurawski. “There use of digital certificates is growing, but issuing, managing and protecting them are the keys to a successful implementation,” he explains. The increased use of tablets and smart phones is another reason passwords must either be simplified or ceased, says Sirota. “Passwords are more difficult to enter on mobile devices,” he says. Nok Nok Labs is working with companies to enable the authentication to take place on the mobile device. It might use a password still – in combination with other strong authentication techniques – but instead of that information being stored in a database somewhere, everything would be stored on a secure element in the consumer’s laptop, tablet or mobile phone, Cowper says. If the strong authentication is first handled by an individual’s device, subsequent authentication requests can be transmitted to the specific service using an encrypted digital certificate, he says. The problem of numerous, complicated passwords is no more.
WHAT’S NEXT? Any innovation in mobile authentication is likely to extend across the enterprise, impacting all use cases. This makes the mobile arena a key area to watch. Additionally, risk-based and adaptive authentication schemes are starting to take root in corporate enterprise, as Grajek points out. “Enterprises will solve it first, make it work and then share the standards and protocols with the consumer markets,” he explains. Eventually some sort of multi-factor authentication scheme will be second nature for consumers logging on to sites as well as employees using corporate resources. The key is making it easy to use. “We all need two-factor authentication, but if it becomes too onerous we’ll find a way to get around it,” Grajek explains. Just like we did passwords.
25 worst passwords of 2013 Just as “Jackson” replaced “Aiden” for the most popular baby name in 2013, “123456” eclipsed “password” for the year’s top – and thus the worst – password. The 2013 list was compiled by SplashData, a provider of password management systems, using a large number of passwords from Adobe users following Adobe’s recent security breach. The list of frequently used passwords shows that many people continue to elicit risky password behavior online by using weak, easily guessable passwords. Some other passwords in the Top Ten include “qwerty,” “abc123,” “111111,” and “iloveyou.” “Worst Passwords of 2013″ 1. 123456 (Up 1) 2. password (Down 1) 3. 12345678 (Unchanged) 4. qwerty (Up 1) 5. abc123 (Down 1) 6. 123456789 (New) 7. 111111 (Up 2) 8. 1234567 (Up 5) 9. iloveyou (Up 2) 10. adobe123 (New) 11. 123123 (Up 5) 12. Admin (New) 13. 1234567890 (New) 14. letmein (Down 7) 15. photoshop (New) 16. 1234 (New) 17. monkey (Down 11) 18. shadow (Unchanged) 19. sunshine (Down 5) 20. 12345 (New) 21. password1 (Up 4) 22. princess (New) 23. azerty (New) 24. trustno1 (Down 12) 25. 000000 (New) According to SplashData, one way to create more secure passwords that are easy to recall is to use passphrases – short words with spaces or other characters separating them. It’s best to use random words rather than common phrases. For example, “cakes years birthday” or “smiles_light_skip?” The company also suggests using passwords of eight characters or more with mixed types of characters, but note that passwords with common substitutions like “dr4mat1c” can be vulnerable to attackers’ increasingly sophisticated technology.
Spring 2014
29
HOST-CARD EMULATION ENABLES NFC WITHOUT A SECURE ELEMENT NEW TECHNOLOGY TO OPEN UP NFC MARKET, BUT MAY BE THORN IN TELCOS’ SIDE Many agree that NFC technology is yet to realize its full potential in the consumer marketplace, but a new piece of Android software could turn the tide and make way for a renewed NFC landscape. The forthcoming Android 4.4 operating system, more commonly referred to as KitKat, will push to Android devices everywhere complete with a technology known as host-card emulation. Host-card emulation is an alternative to standard NFC card emulation – a technology that already exists within a number of NFC-enabled Android devices. NFC emulation leverages a separate chip in the device itself called the secure ele-
30
Spring 2014
ment. Commonly, these secure elements come in the form of SIM cards provided by wireless carriers, or telcos. When NFC card emulation is conducted, the emulated card is provisioned into the secure element on the device via an Android application. When the user holds their device over an NFC terminal, the NFC controller in the device then routes all data from the reader directly to the secure element. With host-card emulation, however, this premise is taken a step further using a new method that does not involve a secure element at all. Instead, it enables an Android app to emulate a card and
talk directly to the NFC reader, circumventing the traditional secure element altogether. “It is a technology built into a device’s operating system that enables a mobile device to emulate a payment or other card, allowing users to make NFC mobile payments and other proximity transactions,” explains Martin Cox, global head of Sales at Bell ID. Host-card emulation essentially creates a virtual smart card, represented in software form and hosts it in the cloud. It’s a technology that could greatly affect the structure and delivery of NFC services.
HOST-CARD EMULATION AND CONTACTLESS PAYMENTS
secure element – which in many cases resides within the telco-issued SIM card – Google can enable customers of any mobile carrier to use Google Wallet even if the customer’s service provider is one of the three telcos driving Isis – Verizon, AT&T or T-Mobile. Sprint is the lone holdout of the Big four telcos that has openly supported Google Wallet. In a nutshell, by leveraging a cloudbased secure element environment, telcos no longer play a central role in NFC payments; placing their desired, intermediary role in the mobile pay-
HOST-CARD EMULATION BEYOND PAYMENTS
Android’s forthcoming KitKat update The predominant initial use of hostcould be used as more than just a means card emulation will almost certainly be to skirt Isis and wrestle control of moin the payments sector. The adoption bile wallets from the telcos. It could of mobile wallets has been sluggish, in fact be used in any NFC service. By but Google’s decision to include hostleveraging host-card emulation, NFC card emulation is expected to shake handsets remove the physical secure things up. element from the transaction, leaving “Placing the payment credentials services such as ticketing, identity and in a remote environment and commuaccess control to be developed and nicating via the cloud, rather than in implemented in a shorter amount of an secure element inside the mobile time. device, offers more control and direct access to application issuers, as well as eases the launch of NFC based mobile services,” explains Cox. “With ‘pure cloud’ solutions, the device does not require a physical secure element, as the payment applications are provisioned into a remote secure element and accessed by the device during the transaction.” Host-card emulation mimics cards based on key ISO and NFC Forum specifications. This is important for the future of mobile payments security, as these specifications are already being used and are a verified standard for a potential EMVCo and NFC payment infrastrucBY CIRCUMVENTING A DEVICE’S SECURE ELEMENT – WHICH IN MANY ture. This is good news for CASES RESIDES WITHIN THE TELCO-ISSUED SIM CARD – Google because host-card CUSTOMERS OF ANY MOBILE CARRIER CAN USE GOOGLE WALLET emulation services would still comply, in theory, with existing ments sector in jeopardy. There are Moreover, the inclusion of host-card security and technology standards. still kinks that need to be worked out emulation means that full NFC capabilThis is why insiders suggest both in the technology and its security, ity – including operation of the reader Google’s support for host-card emubut Android’s dominant smart phone functionality of NFC handsets – would lation makes sense, particularly in the market share has cast doubt on mobile be made available to app developers, wake of Google Wallet and Isis coming network operator’s future in the NFC Cox says. This would give developto market. By circumventing a device’s mobile payments process. ers the ability to create applications
Spring 2014
31
DEVELOPING APPLICATIONS FOR NFC THE BENEFITS OF CARD EMULATION MODEL
SECURE ELEMENT
APPLICATION ISSUER
NFC
SECURE ELEMENT ISSUER (TYPICALLY THE MOBILE NETWORK OPERATOR)
PROVISIONING VIA A PHYSICAL SECURE ELEMENT REQUIRES ACCESS VIA THE SE ISSUER that can turn handsets into contactless card readers, a function that has potential in the mobile point of sale sector and a host of other markets. This handset as a reader APPLICATION ISSUER SECURE aspect of NFC has long held ELEMENT promise for an array of applications and services, but it has seldom been utilized. NFC APPLICATION ISSUER Also at the heart of hostcard emulation potential influence is Android’s market APPLICATION ISSUER presence. The operating system powers the vast majority of the deployed devices on APPLICATION ISSUER APPLICATION ISSUER the market today, and Google seems poised to leverage this with host-card emulation. PROVISIONING VIA A SECURE ELEMENT IN THE CLOUD ENABLES DIRECT ACCESS TO THE SE During the third quarter 2013, Android dominated global smart phone shipments with an 81% share. “This is a positive step for the induswith which to work. Companies like Bell storage and processing power and no try as support for host-card emulation ID are prepping to meet new host-card need for SIM certification. The only difon Android 4.4 brings service delivery emulation demands head on. ference is that it includes the accepted opportunities to a huge segment of the As a Trusted Service Manager, Bell ID security of a physical secure element. smart phone market,” says Cox. aids service providers in securely managFor the immediate future, Cox sees Host-card emulation will also prove to ing and distributing contactless services this hybrid method being the preferred be particularly fitting for issuers who feel for their customers via the networks of choice, as it offers a different level of that the use of a physical secure element mobile operators. Cox believes that hostflexibility. “Some service providers will on the device adds insufficient value to card emulation can blow the doors open opt for a pure cloud solution, while othjustify the hardware’s additional cost. for loyalty, couponing, access control and ers may believe that for higher value transit ticketing. services it is wise to utilize a physical OPENING DOORS FOR NFC Bell ID’s Secure Element in the Cloud secure element in either the classic NFC DEVELOPERS AND SERVICE solution offers two options – a purely model or cloud/secure element hybrid,” PROVIDERS cloud offering and a hybrid cloud/ he explains. “The beauty of host-card physical secure element option. As Cox emulation is in the additional options it In theory, host-card emulation will give explains, the hybrid option offers many brings to the market.” service providers more available busiof same benefits of an exclusively-cloud ness models, partners and developers solution – increased flexibility, greater
32
Spring 2014
Spring 2014
33
FACEBOOK HISTORY VERIFIES ONLINE DATERS SOCIAL LOGINS AUTHENTICATE USER-SUPPLIED PROFILES AT DATING SITES Online dating sites can be a playground for fraudsters looking to take advantage of people. The majority of online dating sites are based on the honor system, trusting users to put up their own photo and use their real identity. But this model has obvious liabilities. Catfishing is a term used to describe the act of creating fake profiles on dating and social networking sites to pose as another, often unknowing, person. This and other types of fraud have led at least one dating site to start vetting the identity of its users. “Scams are perpetrated in many different ways and leverage emotions in order to get money,” says Bryan Brown, CEO at TangoWire. TangoWire operates a network of more than 50 online dating communities with millions of users that are accessed by 3,500 web sites. Each community is designed around specialized interests to help singles find others sharing similar interests.
34
Spring 2014
The company is leveraging BeehiveID, an identity verification solution that uses social network analysis and biometric face matching to authenticate user profiles. The system combs through social network data to find patterns that differentiate real accounts from fraudulent ones. The system’s algorithm checks to make sure that a social network account – such as a Facebook profile – is legitimate. It checks the history of that profile, number of friends, likes, comments and other data to ensure it’s not fake. “One of the nice things about Facebook is it created a time-based history,” says Alex Kilpatrick, founder and CTO at BeehiveID. “You can create fake profiles but you can’t create a long history on those profiles.” TangoWire members have the option of whether they want to participate in the identity verification function. Users with a Facebook account can click on a button to authorize BeehiveID to
check the profile. Using this process, TangoWire customers can get an identity score in real time while keeping their Facebook account confidential. TangoWire did offer an identity vetting process prior to adopting BeeHiveID, Brown says. If a user sent a photo into the site with their member number handwritten on a piece of paper they could be verified. Having the information handwritten on a piece of paper was unique, Brown says. The verification method was successful but it proved a challenge to some users. “There is some friction and some felt like it was a mug shot, so we didn’t see a whole lot of adoption,” he explains. This verification option is still available to those who don’t want to participate in the BeeHiveID system or as an alternative for those that don’t have a Facebook profile. “Trust is a key issue to our customers,” adds Brown. The company has witnessed significant improvements in utilization since it migrated from the prior paper-based method to BeehiveID. “We’ve seen a 21% increase in the number of members participating in the verification process. This is significant because it clearly demonstrates that trust has a substantial impact on participation. We’ve also seen a 30% increase in the number of subscribers who are being successfully verified.” BeehiveID provides a scoring system that gives users a measure of confidence in an individual’s identity. Like a credit
score, the score is a measure of how confident the BeehiveID system is that an individual is who they claim to be. A low score – 400 – is almost certainly a bot or fake account. A high score – 850 – means the account reflects a real person. The BeehiveID identity score can be customized to a variety of use cases. It can validate a weak identity claim: “I am not a bot,” or identify a specific person: “I am John Smith who lives at 123 Main Street in Austin, Texas.” In the TangoWire implementation Facebook is checked, but BeehiveID can make use of other social network profiles such as Twitter and LinkedIn. Integration can be as simple as adding a button to a web page that calls back to BeeHive to request a score. Alternatively, it can be deployed as a back-end service or via an API call. In addition to BeehiveID, TangoWire is also implementing additional profile verification technologies, Brown explains. Last year a model sued another dating site claiming that the site knowingly allowed her pictures to be used by others. To guard against this, TangoWire is creating a database of known images for fake profiles so that those pictures can automatically be rejected. In the world of online dating, caveat emptor is still the rule. But new technologies and solutions for the authentication of user profiles are poised to make the process a bit safer.
VISUAL REPRESENTATION OF A LEGITIMATE SOCIAL NETWORKING PROFILE WITH THOUSANDS OF INTERACTIONS AND CONNECTIONS
VISUAL REPRESENTATION OF A FAKE PROFILE WITH FEWER, STANDALONE CONNECTIONS
Spring 2014
35
BRITISH COLUMBIA ISSUES COMBINED ID FOR DRIVER LICENSE, HEALTH, ONLINE USE CONTACTLESS EMV TO ENABLE NON-PAYMENT FUNCTIONS ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS
The Province of British Columbia was in a bind. It had a health ID card that was more than 20-years-old with practically no security features and little identity vetting on the backend. The province is home to 4.5 million residents, yet had issued 9.2 million BC Care Cards. While some were justifiable duplicates, there were still too many cards floating around in the system. “Basically there were a lot of cards and suspected misuse of the health card,” says Kevena Bamford, executive director for the Provincial Identity Information Management Program in British Columbia. “The Ministry of Health was challenged to replace the Care Cards, strengthen the process of getting the card and incorporate more security features.” While this was happening, the Ministry of Technology, Innovation and Citizens’ Services was looking to expand the functionality of their BCeID service, Bamford says. The BCeID is an online credential that citizens can use to access government services. Typically it was a low-level, self-asserted credential that takes the form of a username and password combination that was federated for use across provincial online services. The citizen could conduct in-person vetting to raise the level of assurance underlying the username and pass-
36
Spring 2014
word login. Unfortunately, few citizens opted for this in-person vetting. Like the BCeID, the Care Card was typically a low security, level one credential. So the Ministry of Technology, whose primary function is supporting other agencies with the delivery of their technology solutions, started to work with Ministry of Health. The goal was to improve the security of the BC Care Card while also increasing the usability and identity assurance behind their eID service. Enter the ICBC Driver Licensing Services. Every half-decade a license expires and the citizen must show up to renew the credential and provide foundational documentation. Thus, this is the one government agency that has both in-person contact with citizens and has access to the documents that prove citizen identity. The ministry saw a chance to kill three birds with one stone. When citizens came to renew their driver license, the same foundational documents could be used to receive a health ID card and increase the assurance level of the eID, Bamford says. Then came another idea. What if one card was used for all three functions? Thus was born the BC Services Card: driver license, health ID and electronic ID all rolled into one contactless smart card that serves as an
extremely strong, level three credential. By the close of 2013, the province had issued 800,000 BC Services Cards, Bamford says. Residents can choose to combine their driver license and Services Card, or have a standalone Services Card. All Services Cards replace the prior Care Card with improved identity proofing and security features and also enroll citizens in the digital identity program. The contactless smart card has an EMV application stored on it that will eventually be used to authenticate an identity. Uptake on combination cards has been a little slower than expected, Bamford says. There are businesses around British Columbia that require two forms of identification and two of the most common pieces are the driver license and health ID card. Spreading the word to businesses regarding acceptance of the new combination card has been slow. British Columbia is working with SecureKey to enable the BC Services Card to be used for access to online provincial services. SecureKey also has a contract with the Canadian federal government to enable contactless bank EMV cards to be used for access to federal services, and there is potential to enable the BC Services Card for
RESIDENTS CAN CHOOSE TO COMBINE THEIR DRIVER LICENSE AND SERVICES CARD OR RECEIVE A STANDALONE SERVICES CARD access to federal resources as well, Bamford says. The province is working to build authentication service functionality and business cases so the card can be used to digitally access online services, she explains. At the moment, however, the chip is yet to be used. Still, significant value has been gained based on the fact that all 800,000 eID holders have undergone the stronger inperson identity vetting. The goal is for citizens to have NFC readers attached to their computers where they could tap the card, enter a passcode and then gain access to online government services. One day, citizens might do the same thing at a doctor’s office to authenticate their identity in order to receive health services. Government officials are working on the authentica-
BC’S CITIZEN ENGAGEMENT: A MODEL FOR FUTURE PROGRAMS KALIYA “IDENTITY WOMAN” HAMLIN
Because of my decade long advocacy for the rights and dignity of our digital selves, I have become widely known as “Identity Woman.” The Government of British Columbia invited me to participate as an industry specialist/expert in its citizen consultation regarding the province’s Services Card. I want to share the story of BC’s unique approach, as I hope that more jurisdictions and the effort I am most involved with of late, the U.S. government’s National Strategy for Trusted Identities in Cyberspace, will choose to follow it. The Canadian Province of British Columbia engaged the public about key issues and questions the BC Services Card raised. The well-designed process included a panel of randomly selected citizens. They met faceto-face, first to learn about the program, then to deliberate key issues and finally make implementation recommendations to government. The Services Card was developed over the last 10 years under the Ministry of Technology, Innovation and Citizen Services. Inside the same ministry an office of Citizen Engagement was created fouryears ago. The minister of these two offices was one and the same and to ensure the
success of the project, he instructed the offices to work together to conduct a wideranging and meaningful constellation on the future of the card. The first step was the creation of a white paper, Designing the Digital Service Consultation. It described core issues raised by deployment of the card and outlined processes project leaders could use to address these issues. They could have simply moved ahead with what was outlined but instead solicited feedback and used it to adapt the approach. The User Panel was one of three streams outlined in the white paper that would
Spring 2014
37
tion services and business requirements that will enable the smart card’s use, Bamford says. Citizens are being asked how they expect the services to work and what services they would like to see offered. The results are mixed, particularly around the area of usage history, Bamford says. “Many people in the early focus groups said they would expect to access usage history, similar to a bank account’s transaction history,” she explains. “Others refuse this concept outright, claiming it’s a compromise of privacy and personal security.” Over the course of 2014, the province plans to work with programs and begin to roll out some digital services that can leverage the authentication service, Bamford says. “Citizens of British Columbia are very interested in using the card,” she adds. “There are many years ahead of us in building the system as well as dialogue around using the credential.”
feed in to a, still forthcoming, final report to government. The other two were the specialist consultation, the part I was involved with, and an online survey that any citizen could fill out. This User Panel method was chosen because the Province’s approach to digital services and identity management are both reasonably complex subjects and require time to understand. By convening the panel of citizens over two weekends they provided time for participants to get up to speed. Secondly for recommendations to have legitimacy, the broader public needed to have
USING THE BC SERVICES CARD TO ACCESS ONLINE SERVICES
38
Spring 2014
high confidence that the right mix of British Columbians had an opportunity to contribute to the discussion. The way the panel was selected meant that it was a defensibly representative group of citizens to both consider the issues put to them and to legitimize their recommendations. So how was this panel selected such that it would be representative of the population, age, income, ethnicity, gender, and geography of the province? The Office of Citizen Engagement sent out a letter to16,500 randomly selected citizens – one in 110 – across the province
inviting them to signal interest in participating. From this group, 800 individuals responded sharing basic demographic information, age, gender and location. From this group, 36 were selected – an equal number of men and women across age groups and from around the province. They also specifically selected a person with a disability and a person of aboriginal decent. A critical success factor, highlighted in the white paper, was the need for the government to be clear about, “what it needs to learn so that it can ensure public input can most effectively inform its decisions.”
The Government set two specific tasks for the Panel: 1. Review the Province’s approach to digital services, recommending actions the Province can take to build citizens’ confidence in the Services Card and in the digital services that take advantage of the opportunities it creates. 2. Recommend principles and priorities for the design and implementation of digital services and the next phase of the provincial identity management program to support the Province’s vision to save citizens’ time in their interaction with government and make it easier to access better quality services. This was then broken down into five more specific questions: Where should the Province focus its efforts in using the Services Card to create new kinds of digital services, and why? How can the Province best balance privacy, security, cost effectiveness and convenience in the design of the Services Card to include key features such as pass code reset and managing transaction history? What actions can the Province take to build citizens’ confidence in
From the White Paper: Designing the Digital Service Consultation
the Services Card and in the digital services that take advantage of opportunities it creates? How should the Province explore using data created from digital services to improve policy and services? What would it mean for BC’s identity management service to be used by organizations that aren’t part of government? An independent chair and facilitator of the panel lead the process and developed the learning curriculum for participants. It involved learning from the government how the Services Card
worked and their perspectives on digital futures. It also included the views of the BC Civil Liberties Association and the BC Privacy Commissioner. As part of their deliberations participants explored different possibilities through group discussion and sorting exercises. The Citizen Panel report was completed and submitted to the government. The Office of Citizen Engagement is now weaving the outcomes of all three streams of engagement into the final report that is to be released this spring. I asked David Hume the executive director, of Citizen Engagement for the Province
of British Columbia what resources he would recommend for those considering citizen engagement within their jurisdiction. He suggested that the web site, Particiipedia.net, is a great place to explore a variety of case studies. More step-by-step guidance for such processes can be found at the National Coalition for Dialogue and Deliberation (ncdd.org) and the Canadian Coalition for Dialogue and Deliberation (c2d2.org). Additionally, the Environmental Protection Agency has good, broad guidance (epa.gov/oia/ public-participation-guide/ index.html).
Spring 2014
39
EUROSMART: 7.2 BILLION SMART CARDS SHIPPED IN 2013, RISING IN 2014 Eurosmart released its findings and forecasts for the 2013 and 2014 worldwide shipments of microcontroller-based Smart Secure Devices. An estimated of 7.2 billion Smart Secure Devices were shipped in 2013, a number that is projected to grow by 7% to more than 7.7 billion units in 2014. These numbers, according to the organization, suggest the global demand for high-end technological solutions combining convenience and security is strong. Contactless technology – including near field communication and dual-interface cards – is leading the charge. A growing proportion of electronic ID cards, like the electronic driving license or electronic passport, are now including contactless technology. According to the Eurosmart forecast for 2013, one-half of all secure eDocuments in the government sector are contactless. Cards used in public transport are virtually all contactless as are many physical and logical access cards like company access badges. For 2013, 930 million contactless cards were shipped, an increase of 41% over
2012. And this does not include the 250 million NFC secure elements shipped during the year.
GOVERNMENT ID AND HEALTH CARE
New countries are starting to adopt electronic vehicle registration cards especially in Europe with the application of Directive 2003/127/EC.
NEAR FIELD COMMUNICATION
There has been steady growth in national eID programs with large reference countries already rolledout and new programs – including Brazil, Indonesia, Japan, Russia and Turkey – to be implemented. The International Civil Aviation Organization (ICAO) standard for electronic machine-readable travel documents is now used worldwide in four kinds of documents: passports, residence permits, national eID with travel function and registered traveler programs. More than 10 EU member states will implement electronic driving licenses to comply with Directive 2012/36/ EU, including Croatia, France and Ireland, the first countries to roll out in 2013.
Following shipments of 250 million units in 2013, Eurosmart forecasts more than 400 million NFC secure elements to be shipped in 2014. The NFC ecosystem is maturing with NFC-enabled mobile devices now available from almost all global handset manufacturers and deployment of contactless point-of-sale terminals is ongoing. Mobile network operators, banks, merchants and transport authorities are embracing secure NFC services. NFC is enabling use cases beyond payment in combination with location-based services and other approaches.
2013 Shipments
50% of all secure eDocuments in the government sector are contactless.
40
Spring 2014
41%
more contactless cards were shipped in 2013 than in 2012 (930 million shipped).
250 million NFC secure elements shipped in 2013.
Spring 2014
41
MOBILE AUTH WILL INCLUDE BIOMETRICS AND CONTEXTUAL DATA KEYS COULD BE BEHAVIORAL, PASSIVELY COLLECTED DATA The use of biometrics on mobile devices will serve many purposes. The iPhone 5S has heralded the technology’s convenience factor, but as more corporate enterprises address the Bring Your Own Device conundrum, biometrics will play a bigger role in securing devices and access to networks and data. Gartner Inc. predicts that by 2016, 30% of organizations will use biometric authentication on mobile devices, up from just 5% now. Another consultancy, Goode Intelligence, echoes the increase of biometrics on mobile devices. Goode predicts that by the end of 2015 there will be 619 million people using biometrics on their mobile devices. This not only refers to fingerprint biometrics but other modalities including voice, iris, facial and behavioral biometrics.
THE ENTERPRISE PROBLEM It’s no secret that complex passwords are problematic on smart phones and tablets but just requiring a four-digit PIN is also not enough security. Gartner recommends a password policy – that prohibits dictionary
42
Spring 2014
words and requires use of at least six alphanumeric characters – be enforced on devices with access to corporate information. “An eight-digit numeric password will require hours to recover, and that will discourage casual hackers with toolkits,” said John Girard, vice president and analyst at Gartner. “However, even a six-character lowercase alphanumeric password can provide billions of values. For most practical applications, hackers are not prepared to pursue this large a set of combinations due to the relatively slow speeds involved in brute force attacks against smart phones and tablets.”
REMOTE WIPE Some organizations attempt to counter the risks from a lost or stolen device by implementing controls that wipe a device after a preset number of incorrect password entries or by remote command. “This practice does not wholly mitigate the risk because solid-state memory is nearly impossible to overwrite,” says Girard.
In addition, Gartner recommends that a further authentication method – at a minimum, another password – be used for access to sensitive corporate applications and data. In this way, even if a hacker breaches the device’s power-on defenses, each subsequent app or store of data presents an additional challenge that should collectively present too great of a hurdle to be worthwhile. In some cases, higher-assurance authentication may be required. In
COMBINATION OF PASSIVE BIOMETRIC AUTHENTICATION AND CONTEXTUAL AUTHENTICATION WILL PROVIDE ASSURANCE WITHOUT THE NEED FOR “GATEWAY” AUTHENTICATION EVENTS USING PASSWORDS OR TOKENS
the workstation model, users would have a hardware token that they could use for additional authentication, but this hasn’t worked in the mobile world. “It is often spurned in mobile use cases because of the poor user experience with most kinds of hardware tokens,” says Ant Allan, research vice president at Gartner. “Juggling the token in one hand, the phone in another and a latte in the third is increasingly resisted by mobile device users.” Software tokens, such as X.509 credentials on the endpoint, provide options in this case, but mobile device management tools still need to be implemented.
BIOMETRIC OPTIONS OFFER COMPROMISE Gartner recommends that security leaders evaluate biometric authentication methods where higher-assurance authentication is required. Suitable modalities include interface interactivity, voice recognition, face and iris. These can be used in conjunction with passwords to provide higher-assurance authentication without requiring any significant change in user behavior. Additionally, as a mobile device begins to provide a node of identityrelevant contextual data, this infor-
mation can also be used to increase the trust in the claimed identity. It is possible that the combination of passive biometric authentication and contextual authentication will provide sufficient assurance in medium-risk scenarios without the need for “gateway” authentication events using passwords or tokens. It is also important, when planning an authentication policy that includes mobile devices, to consider the burden on organizations and users alike so that the policy is sustainable. “Adopting significantly different authentication methods for different devices will eventually be unsustainable,” Allan says.
BIOMETRIC-ENABLED DEVICES ON THE WAY The consumerization of biometrics is making mobile device protection and identity verification more convenient. Goode Intelligence believes that the iPhone 5s is just the start of the trend for embedding biometric sensors and services into consumer electronic devices. It will have a transformational effect on how we interact with technology and digital services, says Alan Goode, founder of Goode Intelligence in his report, “Fingerprint Biometrics and Mobile and Wearable Biometrics.”
The next stages of consumer biometrics will create solutions that are seamlessly integrated, including embedding fingerprint sensors within touch screens and touch pads. This next generation of fingerprint sensors – what Goode terms “Invisible Touch” – is driven by the need for greater user convenience and a desire to remove physical buttons from mobile devices. Positioning the fingerprint sensor underneath, or within the touch screen enables mobile device manufacturers to remove physical buttons. It also retains the convenient method of touching a finger on the front of a mobile device for identification. Invisible touch is not only suitable for smart mobile devices. Any consumer electronic device that uses a touch screen or a touch pad has the potential to integrate a fingerprint scanner under or within the screen. This could include smart TVs, gaming handhelds, tablets, touchscreen monitors, smart watches, as well as touchscreen-integrated domestic appliances and smart house control technology. This is a huge potential market and is part of the wider consumerization of biometrics that will revolutionize how we interact with technology, says Goode. However, he cautions that access to biometric sensors is not enough. These sensors must be connected to services that are in demand. “Unlocking a device is simply not a compelling reason to equip it with a biometric sensor or biometric software service,” Goode says.
Spring 2014
43
LIVENESS DETECTION FORCES HAND OF BIOMETRIC SPOOFERS STILL 3D PRINTING, ADVANCING TECHNIQUES HELP FRAUDSTERS UP THE ANTE ANDREW HUDSON, ASSOCIATE EDITOR, AVISIAN PUBLICATIONS
For as long as biometric technology has been used for access to secure areas there have also been attempts to fool these scanners. Combating “spoofs” is an ongoing process, and with biometric technology positioned to serve a key role in mobile security’s future, it is getting even more attention. The real strides in spoof mitigation have been taking place in the arena of liveness detection. “Primarily we’re working in fingerprint liveness detection on the software and algorithm side,” says Stephanie Schuckers, Associate Professor at Clarkson University. The term “spoofing” is something akin to a Wiki entry, as the definition continues to grow and change over time. So much so that if you were to ask five different people to define spoofing, you may well get five different answers. To combat this confusion and better characterize the threat, Schuckers and others in the field are coining a new term – presentation attack. “Spoofing is a general term that can refer to a lot of different things. Is spoofing trying to be a specific individual? Is it just using a fake biometric? There’s still a lot of confusion,” says Schuckers. “We’re cementing our vocabulary so we can all speak about the same thing.” The term ‘presentation attack’ is fairly specific, referring to how one presents a biometric and tries to interfere with the operations of the biometric system. When it comes to presentation attacks, key elements to consider are whether the image applied to the sensor is a real
44
Spring 2014
body part and whether the collected image actually belongs to the person who provides it. Enter liveness detection.
THE METHODOLOGY In what is likely the most high profile spoofing attack in recent history, Apple’s Touch ID fingerprint sensor fell victim to attack two days after its release. What, then, does the spoofing process entail? According to Mark Cornett, COO of NexID, to spoof a fingerprint recognition system the first step involves the acquisition of the original biometric in the form of a latent, or lifted, print. This can be obtained from an appropriate surface such as a glass, doorknob or touch screen device – a process that according to Cornett is as simple as it is quick. “Acquiring latent prints can be done with a variety of methods all of which involve highlighting or enhancing the print, and capturing it via lift tape or photography,” explains Cornett. “The captured print is then digitized, a step that can be done very quickly.” From the digitized print, some attacks are attempted using a high-resolution image of the fingerprint, which is then presented to the scanner. This method may seem simple, but it gets more sophisticated. A more complex method requires the spoofer to create a mold from the fingerprint image, which is used to cast a dummy finger using a chosen spoof material. Several techniques for creating the mold exist. “When printing the image
onto transparency film, the thickness of the printed ink is actually enough to cast a 3D spoof,” he says. “Etching the image on a blank printed circuit board or converting the 2D image to a 3D file and printing this out using a 3D printer also work. Adobe Photoshop can easily facilitate this 2D-to-3D conversion.” Cornett and the NexID team focus on the non-cooperative side of presentation attacks, lifting latent prints and using them to make molds. “We work with acetate molds, etched molds and we’re now looking into 3D printed molds,” reveals Cornett. “3D printed molds are particularly interesting because you can lift the image, digitize it, put into Photoshop – and make the ridge-valley differential as shallow or deep as you want. Send that geometry to a 3D printer and you get a full plastic mold that is extremely accurate.”
PRODUCTIZING THE SPOOF
The increased adoption of biometric recognition systems has given rise to a new industry, the business of liveness detection. As a result, Clarkson University spinoff, NexID, was formed to commercialize early research in liveness detection. Not long after, the company began drawing interest from fingerprint manufacturers. The company developed a softwarebased liveness detection application. “It’s an extractor-based application that mimics matching software, only its features pertain to the inherent differ-
ences between live and spoof-generated images,” explains Cornett. “It conducts image processing and statistical analyses based on a set of algorithms and roughly 160 features.” NexID consults with sensor manufacturers to identify chinks in their products’ armor, along the way finding out which spoof materials are most effective and prescribing patches for vulnerabilities. These patches can take the form of tweaks to the NexID software algorithm, which tunes it to best serve the specific sensor. In the field, the software application then provides a score back to the target device, at which point the user application can either accept or reject the liveness of the finger image applied to the reader.
While NexID’s offerings are strictly software based, there are other spoof mitigation measures available. “Scanner and sensor manufacturers are beginning to take steps to incorporate spoof mitigation and liveness detection techniques into their devices,” says Cornett. “Some involve collecting additional biometrics from which they can infer liveness, such as temperature or blood flow.” “Others are measuring deformation of the material being scanned – as compared with skin deformation – and still others are using software and image processing to discern differences between live and spoof,” he explains. On the horizon international standards are being developed to establish common presentation attack detection tests for scanners and sensors.
THE SPOOF LAB NexID maintains its own spoof lab, a veritable ground zero for any and all manner of biometric recognition experiments. It’s here that Cornett and the rest of the NexID team test not only spoof materials and methods, but sensor and scanner products as well. The team uses the spoof lab in a number of ways. “We do vulnerability analyses on any of the devices that we can get our hands on,” says Cornett. “This helps us to learn things about different fingerprint technologies. It’s a great marketing tool for when we talk to a manufacturer because we can tell them what spoofs work on their products and provide a solution.”
LIFT THE IMAGE, DIGITIZE IT, PUT INTO PHOTOSHOP … SEND THAT GEOMETRY TO A 3D PRINTER AND YOU GET A FULL PLASTIC MOLD THAT IS EXTREMELY ACCURATE
Spring 2014
45
When a sensor manufacturer comes to NexID, they do so with the knowledge that their product will be put through the paces to find any anomalies that would leave their product susceptible to
presentation attacks. Each set of analyses is a one-off process, with every company and every product yielding different results. “When we deploy our technology onto a platform
or sensor, it’s a custom implementation,” says Cornett. “Its custom because over time we have learned that the differences and nuances between devices – even within the same brand – are different
Advancing spoof materials create new breed of attack The technology behind presentation attacks is undoubtedly evolving and the majority of materials remain common, everyday consumer products. According to Cornett, however, a new generation of spoof materials may already exist. He explains that when you take the mold-making process a step further with the advances in 3D printing, the presentation attack takes on a new level of danger. One particular feature of the fingerprint that may be overlooked in practice is the moisture that is naturally secreted by skin’s pores. This is one of the key elements that makes capacitive-touch sensors tick, and as Cornett explains, spoofers may soon have a way around this as well. “We’re talking to a couple of 3D printing companies and encouraging them to come up with a polyhydrogel material – think a semi-porous gummy bear – that can absorb and diffuse liquid,” says Cornett. “Imagine printing a 3D finger with image properties similar to a real finger that also has the ability to diffuse saline or oil solutions.” Accounting for the smallest details like pore moisture makes the art of the presentation attack a seemingly simpler feat. NexID, however, sees it as an opportunity to further deter attack. “If you can create a spoof to that caliber and then develop a countermeasure to that with software, then you would be hard pressed to find a bad guy with that level of ability,” says Cornett.
IMAGINE PRINTING A 3D FINGER WITH IMAGE PROPERTIES SIMILAR TO A REAL FINGER THAT ALSO HAS THE ABILITY TO DIFFUSE SALINE OR OIL SOLUTIONS
46
Spring 2014
enough that the classifier needs to be tailored to that product.” It’s these subtle nuances that make presentation attacks so dangerous. These nuances also make the work being done at the NexID spoof lab an ever-evolving process. There are, however, a few standards that hold true for each of NexID’s vulnerability analyses. First Cornett and his team need a dataset of around 10,000 images to conduct a proper analysis, and for every deployment NexID conducts an image collection or data set generation. “The live images are fairly easy to collect in a short period of time, but the spoof images are terribly onerous to massproduce and then scan in using the target device,” says Cornett. Thankfully, NexID has begun to see patterns develop in the materials being used. “We have about 50 different recipes that we use at our spoof lab,” says Cornett. “For every device we work with we use as many as a dozen different materials to make our spoof prints, but most of the time we can get by with using half a dozen spoof materials to comprehensively test a target device’s vulnerabilities.” The other primary focus of NexID’s spoof lab is to decipher the next method of presentation attack. In essence, stay one step ahead
INTEGRATED SECURITY SOLUTIONS FOR A SAFER ENVIRONMENT
ID BADGING
ACCESS CONTROL
VIDEO SURVEILLANCE
VISITOR MANAGEMENT
Idesco is your security partner to keep your employees and visitors safe and secure at all times. For over 70 years, Idesco has protected the most prestigious organizations with ID badging, access control, digital video surveillance and visitor management systems designed to meet the most stringent requirements. Our team of experts is dedicated to delivering world-class customer service and support to guide you and assist you whenever you need it. Call 1-800-336-1383 today to get a FREE consultation with a security expert. Idesco is proud to support products and services on the GSA schedule. Idesco is also on New York State contract through The Office Of General Services.
2014 47 Idesco Corp. • 37 West 26th Street - New York, NY 10010 • Toll Free: 1-800-336-1383 Spring • www.idesco.com
of the spoofer. “We’re like an anti-virus company in that respect, we’re trying to outthink the bad guys and discover and test different materials or technologies that they might use,” says Cornett.
EXECUTING A PRESENTATION ATTACK An effective presentation attack requires a tailored approach. How durable does the material need to be? How many times will I have to use it? Is the sensor capacitive, that is, does the spoof mold need to be moist? It’s an involved process that requires great attention to detail. Cue the “average Joe” argument. Obtaining the necessary spoof materials is easy, almost as easy as it is to find the recipes on the Internet. Moreover, when the standard list of spoof materials includes consumer products like wood glue, gelatin, Play-Doh, latex paint, caulk and wax, the odds seemingly favor the spoofer. The choice and effectiveness of materials will often depend on the underlying technology of the fingerprint sensor in the target device. Even execution is a relatively straightforward practice. “Prowess in making good molds takes some time; you have to get the knack of it,” says Cornett speaking from experience. “Learning to effectively lift latent prints takes some time and practice, but we can get a good latent print off of a drinking glass or iPhone screen in under 30 seconds.” What, then, would an actual presentation attack look like? Unfortunately, by the very nature of the topic the best attacks go undetected, but Cornett explains the general approach. “Even if you had a van out front of the building with all your spoof making supplies – computers, molds, imaging
48
Spring 2014
equipment, etc. – you’re not going to be able to grab the target device, return to your van to make molds to conduct the attack and get back inside to replant the device in less than an hour; you’re going to have to make two trips,” explains Cornett. “On the first trip, you would lift the latent print and take it back to the comfort of your lab where you would build and test an array of spoofs. The second trip would be to return for the actual target device and presentation attack.” Cornett’s response to the claim that the average Joe won’t be able to do this? A capable spoofer is not going around trying to snatch phones from everyday people, he explains. “The perpetrator is someone more sophisticated, who is going after a high-value target – government official, politician, corporate executive, etc. – someone who’s data is worth going through that trouble to obtain.” Unfortunately, where there’s a will, there’s a way. “Nearly every sensor manufacturer is vulnerable,” claims Cornett. “Some are better protected than others because they’ve deployed their own spoof detection technologies, but 85-90% of the products shipping in the field today are highly vulnerable.”
THE MOBILE FRONTIER At the expense of beating a dead horse, Apple’s Touch ID sensor marks a new age in biometrics. Many believe the future for biometrics lies in the mobile sector, with consumer electronics poised to lead the way. But the shift to mobile also means presentation attacks will evolve, begging the question, what will the future of mobile biometrics hold? “Historically our customers have been the manufacturers of peripheral devices
that are controlled by PCs, laptops and servers, and the original development of our software was targeted to that platform,” says Cornett. “With those initiatives, computing resources were very plentiful, but with the move toward the mobile and general embedded markets – door access terminals, payment terminals, etc. – we have had to begin re-architecting our application to achieve the same or better performance with much fewer resources.” Cornett is referring to not only a pinch in computing resources but image quality as well. “Our initial attempts to port to those platforms have either required too much execution time or they required us to strip out some of the liveness detection and live with a higher error rate.” The re-architecting efforts are progressing, bringing the occupational memory down dramatically. “We’re confident that we will maintain the same or better performance on the mobile platform in the future,” says Cornett. On the academic side of the coin, the work being done by Schuckers and the folks at Clarkson stresses the importance of progress as well as understanding. “I encourage the field to put in place as many factors as possible for presentation attack detection, but I also think we need to recognize that the biometric itself has vulnerabilities just like any other security measure,” says Schuckers. “We need to be aware of what those vulnerabilities are, look at the way we’re using biometrics and assess those vulnerabilities.”
DATACARD ACQUIRES ENTRUST ROADMAP WILL EXPAND MOBILE ID, SIMPLIFY PKI
It’s been a year since the Datacard Group and Entrust Inc. started talking about becoming one company. The two had a lot in common, with government and financial institutions being their largest customers and no overlap or competition when it came to products, says Josh Jabs, vice president of government vertical marketing at Datacard. The acquisition of Entrust gives Datacard more options when it comes to the ever-growing identity markets. “We looked at a number of different targets and Entrust checked off a number of the boxes,” Jabs says. “Identity has been a growing business and customers were asking us to do more on the certificate side.” A large part of Entrust’s business is SSL certificates that are used to identify web sites. Most of Entrust’s business in this arena lies in North America but with Datacard’s international reach this portion of
the business could be poised for growth, Jabs says. There’s also the possibility of adding certificate management service to other parts of an enterprise for mobile devices, smart cards and other services, says Dave Rockvam, chief marketing officer at Entrust. “We’re aiming to make it simple to go in and do PKI,” he explains. Specifically the company wants to focus on the mobile device. Datacard has been working with financial services companies to bring payments to the mobile but with the Entrust acquisition it can also bring identity services to the handset. “As we began digging in with Entrust we discovered that there’s a lot of complimentary technology that will enable us to accelerate the mobile identity side of the business,” says Ray Wizbowski, vice president of financial vertical marketing at Datacard.
The acquisition is going to reshape how people think of Datacard, Wizbowski says. “It’s been viewed as a hardware only company but this makes us a strong software business and it enables us to have a solutions approach from the identity and payments side,” he adds. Dave Wagner will be president of Entrust and report to Todd Wilkinson who is president and CEO of the newly combined company, which will employ a staff of nearly 2,000. Together the company will enable its customers to issue more than 10 million physical identities each day, handle more than 200 billion transactions per year, and manage billions of identities, including the majority of payment cards and identification solutions in more than 100 countries. Terms of the deal were not disclosed.
Spring 2014
49
THE INS AND OUTS OF OTP BREACHES DRIVE ENTERPRISES TO THESE HARDWARE, SOFTWARE TOKENS
F
WILL RODGER, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS
aced with relentless attacks by high-powered hackers, hardware and software makers are increasingly turning their attention to passwords that can be generated on the fly, used once and then discarded forever. Once thought to be overkill for all but the most sensitive data, mainstream users are picking up on the technology at a pace unforeseen just a few years ago. “The strengths are simple,” says independent security professional Peter Wayner. “Changing the password prevents a host of problems created by key loggers, eavesdropping, shoulder surfing and viruses. That’s a big win because those are some of the most common threats today.”
50
Spring 2014
HOW OTP WORKS One-time-password technologies rely on a token or server separate from the user’s computer. One-time-password solutions, by definition, rely on at least two information sources and thus are a form of multi-factor authentication. Whatever the specifics, an attacker has to compromise all the inputs simultaneously. Because of this, most adversaries find the task impossible today. Here’s one example in action. Plastic hardware tokens typically hang from key rings and include small LCD screens that spit out random pass codes. Those passwords will change every 30 seconds or so in synchronization with a server that calculates the same number tied to the user. The combination of something
the user knows (a PIN) and something he has – the token’s pass code – makes compromise very difficult. As with everything in computing, there are drawbacks. While most experts agree that hardware tokens are among the most secure approaches right now, they are also bulky, expensive and typically single-function, tied to only one system at a time.
GOING SOFT In their place are the increasingly popular “soft tokens,” or authentication systems that rely on tablets, laptops, desktops and smartphones to produce the passwords traditionally generated by stand-alone hardware tokens. Some systems even
do the math on the server end, sending passwords back to the user. For obvious reasons, the smart phone piece of the market has taken off. While PINS are still one way to verify identity using a smart phone, handheld computers can now accept more and better factors than most PCs by virtue of all the sensors and technologies on board. Integrated cameras can pick up iris and face prints; motion sensors can demand a distinctive shake from their owners; and GPS and IP ports can pinpoint a user’s location. Likewise, the iPhone 5S has famously added a fingerprint scanner to its main control button. Verizon is sold on the value of multiplatform approaches, explains Peter Graham, senior identity strategist at Verizon Enterprise Solutions. The company’s Universal Identification Service is a fully managed cloudbased authentication and ID proofing platform that can handle everything from ID issuance all the way through NIST Level 3 security requirements. To sign up, users log in from a secure site or use an agreed-upon form of thirdparty ID to log into a site that is running the Verizon platform. Let’s say a physician wants to prescribe narcotics remotely, Graham explains. To do that, he can set up an account online using a digital certificate issued to him by the SAFE-BioPharma Association. The Universal Identification Service gives him a username and PIN sent through an encrypted browser session in return. The physician can now use that username and PIN – something he knows – to obtain a password that will remain valid for only 30 seconds. Because usernames and PINs can be guessed, Graham says Verizon adds something he has to the mix. If he has a cellphone, Verizon can send an SMS message with the password he needs. If he has a PC, smart phone, tablet or
other screened device, the company can send a message to a proprietary bit of software – a soft token – instead. They can even ring landlines to deliver onetime passwords. “As smart platforms get more secure and as the standards get a lot tighter, more and more people will enable their employees and customers to use the devices they have,” says Tracy Hulver, chief identity strategist at Verizon Enterprise Solutions. “It’s more convenient and a heck of a lot cheaper for the company that wants to roll out stronger authentication in a secure way.”
MAKING A CHOICE So how do you choose? First you need to determine the importance of the information you want to protect. If it’s not that important, you may not be able to justify the budget to secure it. It’s also crucial to know who will be accessing the information you want to secure. The technology chosen has to not only be affordable, but also scalable and simple enough for the intended audience. The company’s CFO and general counsel, for instance, may be happy typing in long, cumbersome passwords from a key fob when they have to handle sensitive documents. The larger user base with Android devices prone to phishing attacks and click-bait are likely the greater risk. Additionally, there’s little chance that networked retail customers will mess with a physical token, so you have to figure out what they will tolerate.
CROSSING THE BIOMETRIC LINE If the token is what you have and the PIN something you know, then biometrics are something you are. Few argue
the technology’s potential, but it has yet to be issued on a widespread scale by organizations bolstering data security. Dan Kusnetzky, of Kusnetzky Group in Rochester, N.Y., examines many biometric-security proposals for corporations each year. He says the technology often leaves managers with the impression that the average user will feel uneasy. Many suggest that iris capture, facial images and even fingerprinting may infringe upon employee privacy, he says. Even when privacy isn’t a concern, cost and fear of change often are. Others, however, point to the growing use of biometrics across consumer applications and devices as a precursor to acceptance in the workplace. They also cite the fact that employers can mandate employee usage regardless of these fears. “Some of the things I have seen in terms of coming up with new ways to ID things relate to inertia,” Kusnetzky says. “They look at the cost of that and say we haven’t had a breech yet, we can’t afford this cost right now.” Opting for inactivity, he says, is often when they get hit with a breech and this momentum shifts.
THE FUTURE Nothing is perfect in security, but multifactor authentication seems to be among the most secure technologies available. Verizon’s most recent Data Breach Investigations Report, for example, found that out of thousands of attacks examined, less than 1% involved compromised multi-factor identification. Will things continue as well as they have? Maybe. RSA estimates hackers pulled off a 35,000% increase in Android malware between 2011 and 2012. Among the apps: malware that steals the SMS messages on which many multi-factor technologies rely.
Spring 2014
51
NEW JERSEY LAWMAKERS CONSIDER NEW MEDICAID IDS CREDENTIALS COULD PREVENT MILLIONS IN FRAUD GINA JORDAN, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS
New Jersey lawmakers are considering legislation to establish a program that would issue USB drives with embedded smart card technology to Medicaid recepients. The bill is designed to put a dent in rampant fraud that costs American taxpayers billions of dollars annually, and supporters say it could lead to more eligible residents receiving Medicaid. If the project is approved, pilot participants would make use of a USB device containing their identifying information and medical records, with lawmakers reviewing the results in twoyears time. “It will free up money to actually go to the health care as opposed to feeding the fraud system,” says Democratic Assemblyman Tim Eustace, one of the bill’s sponsors. Eustace, a chiropractor, thinks his own business would benefit from the smart card approach. “We’ll be able to verify that the patient is
52
Spring 2014
exactly who they say they are after just a momentary verification of benefits,” says Eustace.“Before, my staff would sit on the phone waiting for Medicaid to verify that the person had benefits, which ended up costing money.” Instead of the plastic Medicaid cards they currently carry, patients would carry a USB flash drive containing medical information and a photograph. To prove their identity and provide offices with instant access to their medical records, the user would present the token and provide a PIN. “It would prevent fraud on both ends,” says Eustace. “The doctor would actually be providing services to the correct patient, and the patient would have to actually be the person who is approved for the services.” Much of the fraud comes from people shopping for drugs through multiple doctors. Since all providers would eventually be linked
to the system, this doctor shopping process would be much more difficult. Eustace says the USB drive will help stop other groups, like hospitals and drug companies, from ripping off the system as well. Everything is recorded electronically, hopefully putting the brakes on those who over bill or provide services that aren’t approved. Another sponsor, Democratic Assemblyman Herb Conaway Jr., suggested that biometric information – like the user’s fingerprint – could be included someday to cut down even further on fraud. For now, however, he just wants to see a reduction in cost per Medicaid recipient. “Developing a more efficient system for Medicaid would preserve the integrity of the program and make it more accessible to those who truly need it,” says Conaway. “This pilot program would help us discover if and how we may improve the system.”
The cost of the pilot hasn’t been determined, but Eustace figures New Jersey taxpayers will save hundreds of millions of dollars in fraud reduction alone. Supporters of the new proposal will have to sway skeptics concerned about user security. But Eustace says privacy laws have already changed the way doctor’s offices and hospitals do business. “You cannot get into the patient files without certain protocols,” he says. “The staff is trained not to release any of that information.” The state health department would oversee the program and New Jersey’s Commissioner of Human Services would determine whether the two-year pilot is carried out statewide or only in designated areas. “It’s hard to say no to saving money, and in health committees it was passed almost unanimously,” says Eustace. “It has a lot of bipartisan support.”
Spring 2014
53
GEMALTO PROTECTS AMAZON RAINFOREST Gemalto has traveled to the Amazon Rainforest, where it has teamed with Cargo Tracck to protect Brazil’s Amazon Rainforest using M2M technology. This solution applies embedded connectivity and intelligence to preserve one of Brazil’s most precious resources, wood. Strong global demand for rainforest wood along with the lucrative nature of illegal logging operations has put the Amazon Rainforest in danger. More than 4,000 square miles of Brazilian rainforest has been destroyed in the last two years alone with 224,000 square miles decimated since record keeping began in 1980. Cargo Tracck and Gemalto devised and executed a pilot program and sting operation that leveraged powerful Machine-toMachine (M2M) technology to catch thieves in the act of illegal deforestation. Designed by Cargo Tracck, the discreet tracking unit uses Gemalto’s small, but powerful Cinterion BGS2 M2M module, which enabled cellular communications between the trees that contained the tracking units and law enforcement. When a tagged tree was harvested, the solution immediately began sending alarms to law enforcement officials. Smaller than a deck of cards, the tracking devices were hidden in a resin case made to blend in with the surrounding tree trunk. Ten of the devices were covertly installed in remote active harvesting areas deep in the jungle. The power management system of the Cinterion module provided power enabling the device to operate reliably in the field for more than a year without recharging batteries. Gemalto’s Cinterion M2M technology is integrated in a variety of solutions that enable machines, devices and even trees to communicate on mobile networks to improve processes, productivity and efficiency. This initiative highlights how M2M technology can be applied to help deter crime and protect the environment, but the technology can also be used to enable secure POS transactions; remotely manage assets, buildings and industrial operations; improve productivity of fleet operations as well as power industrial PDAs for work forces.
54
Spring 2014
\\ HARDWARE
SALTO Electronic Locking System
THE KEYLESS SOLUTION TO MECHANICAL KEY CONTROL The SALTO Virtual Network - System Description
Features & Benefits
The Wirefree battery operated locks, cylinders and lockers are networked to your server without wires.
· No wiring costs, simple installation and reduced material costs · Adaptable to any kind of door, including lockers and glass door locks · Track events in the facility, such as battery status, access granted/denied and staff activities · Smart battery management and innovative design · Wall readers and door controllers are used for elevators, gates, barriers or speed gates
The link that enables communication is carried by the “intelligent” smart RFID card, which acts as a 2-way data transporter that grants access, provides audit trail and informs about battery status. The wall reader is the updating point and links the credential and the PC. It also permits special functions. FOR MORE INFORMATION PLEASE CONTACT US SALTO Systems Inc. 3073 McCall Drive - Suite 1 · Atlanta, GA 30340 Phone: 770-452-6091 • Toll Free: 1-800-GO SALTO • Fax: 770-452-6098 info@salto.us • www.salto.us • www.saltosystems.com
i ns p i re daccess
RETAILERS CREATE CUSTOM WALLETS WITH AIRTAG AIRSHOP is a white-label mobile wallet solution for retailers, QSRs and grocers. With AIRSHOP retailers can launch their own 100% self-branded mobile wallets for fast and advanced ordering, payment, loyalty, geo-location services and couponing. It has been deployed for retailers including KFC, Carrefour City, G20, Dia and many more. Through AIRSHOP feature modules retailers can create a customized mobile wallet with the choice of multiple user interfaces – mobile, tablet and web. AIRSHOP can be connected via server to each restaurant’s in-store POS system, where payments can be conducted online and processed in-store through tokenization. Many of the retailers currently using AIRSHOP have opted for in-store pick-up options, or “click and collect,” which requires a customer to conduct a mobile check-in using Bluetooth, QR Codes or NFC. One of AIRSHOP’s implementations can be seen at KFC locations in the UK and Ireland. In these restaurant locations, KFC’s Fast Track mobile wallet allows customers to place orders and make payments before arriving at the restaurant. KFC Fast Track users can pick up their order any time on the day an order is placed. Upon arrival at the selected location, the user initiates a mobile check-in to let KFC staff know they are present in the store. This enables the user to skip the line and proceed directly to a dedicated Fast Track checkout. The solution also includes a CRM module to help KFC and other users analyze customer-purchasing behavior.
\\ BANKING
56
Spring 2014
INFINEON BEEFS UP E-PASSPORT CHIPS Infineon’s SLE78 security controller is being used to forge high-speed e-passports with high bitrates and CC EAL6+h certified flash. Enabled by the latest Logical Data Structure specification from the International Civil Aviation Organization, e-passports are now capable of storing e-visa, entry/ exit stamps and biometric data. This increases demands on the chip, ups the need for data storage from 50K to 1MB or more and begs for faster data transfer rates. While most e-passport chips contain 200K or less of memory, the SLE78 security controller with Integrity Guard represents the highest memory density
currently available at 700K. Infineon’s chip includes 200K of space for program code and adds up to 500K of flashbased memory for variable data such as personal and biometric data, e-visas, hundreds of electronic entry and exit stamps and even loyalty points for frequent traveler programs. A standard 30-page paper passport can hold about 150 stamps assuming physical space for about five per page. Assuming that each e-visa or entry/ exit stamp requires three kilobytes of memory, the SLE78 with 500K provides rewritable memory space corresponding to the 30-page passports in use today.
For a passport containing the maximum number of electronic visas and stamps, the full 500K of data would need to be processed at the electronic gate. Most of today’s e-passport chips have transfer rates of 848-bits per second, which translates to a transaction time of approximately eight seconds. Infineon’s SLE78 has a data rate of 6.8-megabits per second, so just three seconds is needed to process the same volume of data. Today, the passports in general use still contain only personal data and a biometric photo. At the gate, the new SLE78 can process this volume of data in less than one second.
\\ IDENTIFICATION
Spring 2014
57
IDENTITY-AS-A-SERVICE 101 TERRY GOLD, FOUNDER, IDANALYST LLC.
When it comes to identity credentials, historically the higher level of assurance, the more costly and complex it was to produce and manage. These higher costs, in turn, kept PKI-enabled smart cards out of reach for the masses. Only large organizations could attempt to scale, lower costs and resource a project that was demanding across various skill sets.
COMPLEXITY When performed in line with best practices for trust and security, highassurance identity programs demand a diverse set of skilled resources. While the token – or card – is what is most visible, it’s only the tip of the iceberg. Most of the complexity is in the back-end infrastructure required to securely issue and manage the larger system. This complexity is further compounded by the many touch points required to integrate, operate, support and form policies that enable it all to work cohesively.
SIMPLIFICATION Through the PIV program, the U.S. Federal Government has demonstrated that complexity can be reduced for organizations that require high assurance credentials. By building a model centered on delivering a set of capabilities as a service, the program has rolled out IDs to millions of individuals across agencies. The reality is that complexity still exists but it’s now designated to those that can deal with the complexity, thus eliminating the burden for customers. Software as a Service (SaaS) models provide a turnkey solution, enabling customers to only be concerned about consuming the service, not managing it. Think of it like riding a bus. If I were to hire a privately chartered bus to take
58
Spring 2014
me from Los Angeles to San Francisco on my own, it would cost thousands of dollars. However, if I buy a ticket for a commercially available bus that was already scheduled to make the same trip, the price becomes commoditized as the costs are shared across many customers. The same can be said for SaaS models. However, for this symbiotic relationship between provider and customer to mutually benefit, a group of customers must agree to the same set of service capabilities. The more customers that a provider can get to do so, the more they can monetize their existing service and likely lower costs, as they have more people sharing it.
CURRENT MARKET When looking across various markets, the PIV program can’t meet everyone’s particular requirements. It was neither designed to do so nor is it even available to everyone. The good news is that new services are coming online to meet varying requirements. This market is still young. On one end there is a rush by some vendors that have a lesser background in identity to get in on the action. On the other end established companies with proven backgrounds struggle to transition from government to enterprise with inflexible PIV-based solutions. As vendors try to appeal to a broader audience with increasingly varying requirements, the market is evolving. Despite the market evolution, vendor’s products vary greatly in their focus and capability, and telling them apart, or even knowing which questions to ask specific to this type of solution can be challenging. Making assumptions based on features or brand will likely lead to major oversight.
DIFFERENCES Identities as a Service (IDaaS) solutions generally differentiate in a series of core areas. Scope of Solution: The list of in-house technologies and processes the solution displaces Conceptually, IDaaS strives to offload as much of the infrastructure that a customer would be required to install as possible. However, organizations with unique requirements may desire flexibility to keep some things in-house for a more hybrid model. Intent: The specific problem the solution aims to solve Products are generally developed to solve specific challenges faced by a customer or type of customer. Some take a general approach toward the size of a company for example, while others address specific market segments like health care. In general, vertically developed solutions will be less applicable to a mass audience but will be more powerful in the scenario for which they are intended. Also, the problem that vendors are trying to solve for a customer can vary across competitive solutions. Some focus on ease of convergence while others drive toward depth and flexibility. Implementation: The technology and execution used to achieve proposed solution Even though IDaaS categorically belongs in the cloud, each implementation may require customers to take a tailored approach to setting it up, using it and adopting preset policies. Additionally, how things integrate, how well they do so, and the third-party components that may or may not be hosted in their service
can vary as well. It is key to completely develop solution requirements to determine which IDaaS is the best fit. Security Philosophy: The approach to overall solution security Though all solutions in this segment are intended to provide security, there is an incredible variance as to the levels of security offered. This is a culmination of varying talents in application security, cloud security, key management and overall internal policy. Certification: The level of attainment by recognized third parties In the smart card world there are a few certifications, but most have specific contexts for particular components or processes. PIV is the only attempt to certify the overall solution and execution. Perhaps the most common misunderstanding in the credentialing market is the assumption that certification automatically equates to a commensurate level of security. While certifications attest to a set of criteria being met, security is dynamic and certifications are typically narrow. The reality is that certifications should be viewed as a minimum starting point, not the overall achievement of security. Standards: The adherence to standards from open and public domains This is another area of significant variance. Standards can have significant implications on system operations. Thus, customers should perform a diligent review as to which, if any, standards make sense for their business both short and long-term.
RECOMMENDATIONS Look beyond simple cost cutting Most assume that an IDaaS costs them less than an in-house model, however this isn’t always true. Since the market is not yet mature and has not been commoditized, prices are still at somewhat
of a premium. The size of the organization is key. For small to medium sized organizations, even the most expensive IDaaS solution is likely to be cheaper than an in-house solution. Also with IDaaS, costs are spread out per year, rather than stacked up-front via perpetual licensing and backend infrastructure costs. However, for very large organizations with tens of thousands of users, these numbers start to reach parity. It is important to note that large organizations that could spend less on an in-house model may still choose IDaaS as it can have financial benefits in how services are accounted for as compared to depreciating purchased assets. Focus on both tangibles and intangibles The whole point of IDaaS is to remove users and operators from the low-level components underneath, so that most of what is going on can’t easily be seen. For example, the solution may have a key management function, but how does one know how the key material is being handled or even if the service uses a hardware security module at all? You can’t go by features alone, you have to dig into to the intangibles to know what is included both visibly and out of sight. Avoid fixating on product comparisons Comparing products against one another is a must, but too often clients become fixated on this aspect and lose sight of developing a clear definition of their requirements and benchmarking. Comparisons are relative but are fairly transparent against solid internal requirements. Don’t fall victim to the turnkey assumption: Clients often assume that because IDaaS eliminates a great deal of infrastructure deployment that they will
be able to flip a switch and go. This is partially true if the service is truly an out-of-the-box, multi-tenant system. However, deciding on workflows, setting policies, pushing out to clients, ensuring quality assurance, building a notification and support process and integrating the service into your infrastructure can all take time. Performing due diligence of the service provider to ensure a complete understanding of how they secure their infrastructure takes time as well. Between scheduling, aligning resources and acquiring approval to do these things, it can easily take several months before rolling out beyond limited production.
A POSITIVE MOVEMENT IDaaS solutions may or may not cut costs, but they definitely make identification programs simpler and commercially available to more organizations. They reduce complexity, the burden of operation and the cannibalization of critical resources required for other projects. Overall, IDaaS is a positive movement for everyone; even those that opt not to deploy it. IDaaS systems are undeniably lean and efficient, adding competitive pressure across the entire market landscape – IDaaS and traditional approaches alike. And as the market matures, things are just going to get better.
Spring 2014
59
EXPERT PANEL
THE NEW THREAT ON THE BLOCK TIM MOSES, SENIOR DIRECTOR OF ADVANCED SECURITY TECHNOLOGY, ENTRUST
2013 confirmed for us what many had long suspected about government surveillance – there is not just surveillance by repressive regimes around the world but also by extremely well-resourced and wellpositioned intelligence organizations in the “free world.” Other revelations have taken even the most cynical by surprise. Many who constantly monitor threats to privacy and civil liberty have expressed outrage at the breadth of these activities and the ineffectiveness of the oversight mechanisms intended to keep them in check. The Internet has become indispensable in so many aspects of our lives that living without it is now unthinkable to most companies and individuals in the developed world. Yet our confidence in the integrity and security of this essential resource has been shaken. Unless something is done to restore that confidence, many societal benefits of the digital age could be lost to us. The threat landscape has changed; it now contains a threat agent with resources that, while not fully understood, clearly go beyond those contemplated by the designers of today’s information systems. Those resources are routinely deployed against dissenters, law-abiding citizens and friendly governments, and these recent revelations will inevitably bring about a change in their behavior. Many of the protocols that we routinely rely upon to secure our identities on-line are no match for such a threat. Online identity authentication is a confused landscape of disparate schemes, necessitated by the fact that communication protocols have never been designed from the ground up with security and privacy as requirements. System designers are forced
60
Spring 2014
to resort to solutions assembled from a heterogeneous set of ill-fitting components. So, what properties do we expect to see in an authentication ecosystem that can stand up to the new threat environment? It must have a verifiably trusted human interface, so that users can be certain that they are providing their private information to the correct process, and they can be assured that it will be treated securely throughout its lifetime in the system. There must be no need for the recipient
choosing weak, long-life passwords just encourage password re-use, so that the security offered by every service provider reverts to the level of security offered by the least secure provider with whom the user shares the password. OTP tokens don’t provide end-to-end security. Knowledge-based authentication relies on secrets that may be easily obtained by an adversary. Browsers can be easily subverted by malware and phishing attacks. Passwords reset over unsecured
THERE IS NOT JUST SURVEILLANCE BY REPRESSIVE REGIMES BUT ALSO BY EXTREMELY WELL-RESOURCED AND WELL-POSITIONED INTELLIGENCE ORGANIZATIONS IN THE “FREE WORLD.”
to handle or store any private user information associated with authentication of that user. Communications must be secured end-to-end, in order to prevent a man-inthe-middle attack. The authentication event must be strongly bound to the session or transaction that follows, in order to prevent session riding. False acceptance and false rejection rates must be acceptably low, in order to prevent impersonation attacks and make the authentication ceremony acceptable to the user. And authentication events must be unique, in order to prevent replay attacks. Authentication mechanisms in common use today clearly fall short of this ideal. Techniques used to prevent users from
email can be exposed to system administrators. Each of these techniques can protect against some adversaries, but none of them can withstand an attack from a determined nation state. It may be decades before the situation is righted, but the process has started. Protocol designers are revising their threat models and stronger online identity schemes will emerge and achieve cross-platform adoption. The health of our digital economy depends upon it; not to mention the human rights of dissidents and the moral authority of the West to promote its values in countries where new governance models are sought.
REGISTRATION
NOW OPEN
•
THE GLOBAL HUB FOR NEXT-GENERATION CITIZEN & GOVERNMENT ID SOLUTIONS
Security documents, border control, ePassports, eID, registered traveller programmes, document design, breeder documents and anticounterfeiting…
•
Discounted rates for Government delegates – plus buy one place and get the second half price
•
Lower rate conference places for delegates from African, Asian, South American and (New for 2014) Eastern European nations
•
Major focus on biometric technology and human identity-based solutions
•
More than 100 companies exhibiting from around the world
•
Conference sessions include a special focus on document examination
•
Register to attend the exhibition for free, or book now for preferential rates to attend the conference – the earlier you book – the lower the rate!
•
Addition of conference interpretation services for French and Spanish (New for 2014)
IF GOVERNMENT AND CITIZEN ID MARKETS ARE YOUR BUSINESS, SDW 2014 HAS THE ANSWERS...
Spring 2014
61
EXPERT PANEL
IDENTITY AND ACCESS MANAGEMENT: WHAT’S IN STORE FOR 2014? DEAN WIECH, MANAGING DIRECTOR, TOOLS4EVER
Identity and Access Management has become a hot topic as more organizations begin to recognize that a progressive approach is crucial. The market for Identity and Access Management has not yet matured, however the space continues to grow and progress to meet the evolving needs of organizations and their customers. What, then, does 2014 have in store for Identity and Access Management? Popularity of the Cloud: One of the most common changes organizations have made is moving applications – which were previously installed and managed internally – to the cloud. Using cloud applications enables employees to be more flexible in terms of their physical location, while the organization becomes less dependent on its local servers and applications. Additionally, cloud applications impose far fewer demands on the equipment with which the work is done, granting employees the freedom to work from any given device including laptops, tablets or smartphones. However, when dealing with Identity and Access Management, the cloud doesn’t make things any easier. Where there used to be tight integration within a local network, the collaboration with multiple cloud suppliers – each of which have their own standards – leads to many difficulties and issues. Cloud applications each impose their own password policies, which means traditional LDAP authentication with Active Directory has become considerably more complex. Automatic management of user accounts and rights within the application is also increasingly difficult. In addition, existing on-premises APIs no longer work over the Internet, which requires the functional application manager to operate with a manual user management interface. SSO for Web Applications: The popularity of cloud has also resulted in employ62
Spring 2014
ees having difficulty remembering all of their accounts and credentials. To deal with this issue, organizations often offer staff a portal with direct links to the various URLs for their web applications. However, this still leaves the issue of employees needing to remember several usernames and passwords. This is where the development of Web Single Sign-On comes in. With single signon, end users only have to authenticate themselves once by entering their username and password from Active Directory. WebSSO then takes over the login processes, eliminating the need for a user to enter login details again when opening another application. In addition to being more user friendly, this process is also more secure as it reduces the need for end users to write their credentials down or keep them in insecure locations to remember them. Access Governance: Strict legislation and regulations have lead to many changes and developments in the Identity and Access Management world. To comply with audits, organizations are cleaning up their functional houses and are putting their “rights pollution” under the microscope. This pollution is often the byproduct of the rights-granting process, as rights are often issued on the basis of “copyuser.” Manually keeping track of the rights granted within an organization is a highly complicated, time-consuming process. In many instances, continually managing the rights structure is simply not feasible. Identity and access governance enables organizations to easily ensure that employees only have access to the network resources they need to be able to perform their duties. In the past, access governance was largely the domain of financial institutions
and major international concerns. Today, identity and access governance has become more accessible to health care institutions, medium-sized companies – 1,500-5,000 staff – and other commercial organizations. Broad access to Information Systems: Another recent development is the increasing need to make information widely available to members of an organization. Growing numbers of people want or need access to information, as well as information systems. One example of this can be seen with local authorities, where citizens increasingly need regular access to a municipality’s information systems. The same goes for health care, where patients need the ability to view their own medical details. Organizations are taking the initial steps and, alongside their Active Directory, are building up an LDAP store to enable broader access to information systems. This means that, in addition to staff, external parties must also be provisioned and made known within the network. Simply put, user IDs are necessary, and people must authenticate themselves to gain access to information systems. Through identity and access management, it is possible to automate the provisioning and authentication process to reduce the overwhelming amount of manual labor that the IT department needs to perform. Overall, the Identity and Access Management market continues to grow and evolve to help meet the needs of organizations and the changes that they are making within their company. Dean Wiech is managing director of Tools4ever, a provider of identity and access management solutions.
EXPERT PANEL
DEATH OF THE PASSWORD? PHIL SCARFO, SENIOR VICE PRESIDENT OF WORLDWIDE SALES AND MARKETING, LUMIDIGM
It’s hard to believe that in this digital day and age we continue to rely on the decadesold authentication method of usernames and passwords. It was bad enough when we had but a few simple combinations, but now the vast majority of us have dozens of complex and hard to remember combinations. Passwords were initially designed in the 1960s to authorize on-site users in fixed and secure locations. Access was limited to dumb terminals that had dedicated, fixedwire connections to a corporate mainframe. When passwords were first introduced to the world, the total combined worldwide computational horsepower was less than that available in just one of today’s smartphones. Today, more people have mobile access than have safe drinking water and electricity. Mobile commerce will reach $3.2 trillion by 2017. Online banking is expected to reach 894 million people by 2015. And Google’s online ad revenue alone surpasses the entire US print industry. The world has changed, quite dramatically. Why, then, do we continue to rely on authentication methods that are neither secure nor convenient? In the tug-of-war between security and convenience, convenience has generally won. In a dramatic example, the passcodes needed to launch US nuclear missiles during the Cold War were set to 00000000 to ensure that no time-consuming mistakes were made while keying in the code.
For more ordinary situations, passwords were arguably not the most secure, but at least they were convenient and certainly easier to deploy for most organizations. There were no real heavy-duty enrollment processes or technology barriers. If you wanted to add a veil of security you simply provided a username and
device. This is certainly one option. But with secure credentials being stored and securely transmitted over NFC, Bluetooth or other means in a smart device, the conditions are there for a very convenient and secure “smart digital key.” Coupling this “smart digital key” with a “smart digital lock,” whether a banking
THE KEY QUESTION IS NOT, “IS THE PASSWORD OBSOLETE?” THE MORE IMPORTANT QUESTION IS, “WHAT WILL IT TAKE TO PROVIDE THE LEVEL OF CONVENIENCE, SECURITY AND PRIVACY THAT IS NEEDED TO DISPLACE PASSWORDS?” password combination and off you went. So the key question is not, “Is the password obsolete?” The more important question is, “What will it take to provide the level of convenience, security and privacy that is needed to displace passwords?” With more than 1 billion people today with broadband access – up from only about 38 million in 1999 – we are at a tipping point. Secure apps on a smart device coupled with a biometric can provide all the authentication technology needed for the next generation or more. This is not to say that the biometric employed must be an integral part of the
ATM with a biometric, a kiosk or online service, could finally provide the means to deliver a “no compromise” solution that people demand and expect today. After all, what we need is security. What we want is convenience. Some with an eye to the future are realizing that convenient security sells. It is a win-win for business and ultimately can usher in the long-overdue death of the password.
Spring 2014
63
HID BUYS LUMIDIGM EFFORTS WILL PURSUE NEW MODALITIES, EXPAND MARKETS Fingerprint biometric innovator, Lumidigm, had an unlikely start in the medical field rather than the identity and security realm. Johnson & Johnson and InLight solutions were exploring the potential of spectroscopy technology to check glucose levels in the skin tissue of diabetic patients without having to take a blood sample. Researchers noticed that the “noise” from each sample was unique. This unique finding led to Lumidigm’s spin-off in 2001, and a shift in focus to potential biometric applications of the technology. The company’s mission became development of a fingerprint biometric sensor that could use spectroscopy to improve image quality and liveness detection. Today, Lumdigm provides fingerprint scanners that solve problems that have plagued traditional biometric scanners. With contact-based scanners that read the surface of the skin only, accuracy is degraded by non-ideal skin conditions, damaged fingerprints and adverse environmental conditions. In contrast, multispectral imaging technology uses multiple light spectrums and advanced polarization techniques to extract unique fingerprint characteristics from both the surface and subsurface of the skin. Lumidigm excelled in these areas, establishing itself as a leader in fingerprint biometrics for secure applications. The culmination of these efforts garnered a great deal of attention and eventually led to an acquisition of the company in early 2014 by the identity and security industry giant, HID Global. “The company has unique technology protected by a large patent portfolio and proprietary algorithms,” said HID Global President and CEO Denis Hébert. Lumidigm had been privately held and venture-capital backed since its
64
Spring 2014
founding, says Bob Harbour, executive chairman of Lumidigm and chairman and president of the International Biometrics and Identification Association. “Lumidigm is a good strategic fit for a major multi-national ID company,” Harbour explains. The acquisition may enable Lumdigm to pursue other important product initiatives and other biometric modalities. “On the research and product development front, we have the ability to expand our biometric capability beyond fingerprints,” Harbour says.
It will almost certainly expand the technology’s reach further into the global market. Lumidigm’s technology is already used internationally – with implementations in South Africa, Brazil and beyond – but the merger will expand that even further, Harbour says. And both companies see the future of biometrics expanding beyond law enforcement, government and other traditional sectors. “The real growth and story around Lumidigm is in health care, banking, corporate and industrial markets,” says Harbour.
SIA WITH ISC SUPPORTING THE SECURITY SPONSORED BY INDUSTRY
ISC WEST THE GLOBAL LAUNCHPAD for
WHAT’S NEW IN SECURITY
REGISTER NOW AT ISCWEST.COM/ AVISIAN
GARTNER MAPS THE WORLD OF USER AUTHENTICATION WILL RODGER, CONTRIBUTING` EDITOR, AVISIAN PUBLICATIONS
Knowing who’s on the other side of an online conversation isn’t easy. Sure, everyone learns early on that good ID consists of something you have, something you know or something you are, but getting people to use those techniques isn’t as simple as security pros would like. Employees and consumers aren’t always excited to use high-assurance security technologies. One of the biggest obstacles is usability, Gartner says, and vendors are starting to recognize this. Examples abound in the company’s recent “Magic Quadrant for User Authentication” report. Author Ant Allan notes that bring-your-owndevice demands are forcing vendors to change their products and services in response. Users want sign-in to be as easy as using any other app on consumer phones. A swipe here, a PIN there is about all most are willing to do. “The desire is for an authentication methodology – say a mobile app – that provides the right level of trust and doesn’t reduce the user experience,” Allan says. Companies that made physical authentication tokens thrived for years knowing that their target market was smart, security-minded technicians. These users would put up
66
Spring 2014
with the somewhat cumbersome keyfob to type in onetime passwords on demand. That market still exists, but the number of people who need a secure way to sign in has exploded. Vendors, in response, are making it easier not just to “know,” but to “have” and, even “be” something that can be used for authentication.
TO HAVE The “have” side is simple enough. Instead of sticking with the traditional plastic token that generates passwords on the fly, companies such RSA and Symantec have responded with soft tokens that reside on smart phones or almost any digital device – PCs, laptops and tablets included, Allan explains. The switch brings several benefits. For one, they are much cheaper. For another, they are familiar and easy to use. They are also integrated into something people have with them all the time. So not only are soft tokens handy, but they can be integrated into a device people are actually using to access their networks.
TO BE Contextual factors – location especially – will be increasingly important in the next
few years, Allan says. Location is popular because virtually every smart phone includes sensors to pick it up. More important is what the location says about a user. While home and office may be widely known, seldom could an individual’s life schedule be predicted well enough to reliably spoof an identity. Thus, restrictions based on location can withstand attacks over the long term. Biometrics such as face, iris and fingerprint are well known, but behavior-based biometrics is emerging, too. Almost any physical motion related to device use can be tracked, from the way we type on our phones, tablets and keyboards to the way we go from one screen to the next. Users can invent their own gestures for shaking devices, if they like. Once identified, these behaviors can then be used for future authentication. All of this eventually turns into math, just like previous methods. The difference, however, lies in the depth of defense. “If you have a legacy method, you have a specific credential that you are connecting to a user,” Allan says. “If you are doing contextual authentication, you don’t have any one piece of info that is strong by itself. Having multiple pieces of information
together add up to give you an overall score. It’s rather like having a bundle of sticks than a single branch.” Recent attacks against infrastructure of all sorts suggest the security business should be booming. That’s true up to a point: Companies that specialize in incident response, for instance, claim to be turning customers away because they cannot keep up with demand. Authentication specialists, on the other hand – the folks on the front line where attacks should have been stopped in the first place – report that their business is growing but not at the same rate. Overall, Gartner estimates perhaps 20% growth in user volume for 2013, but only 10% growth in revenues due to the increased use of lower-cost cloud and soft-token solutions. Hackers aren’t standing still. They’ve already compromised at least one – now remedied – one-time password algorithm and are working on a host of others. They could move on, but browser-in-themiddle attacks are growing, Allan says, because they are easier to execute than many authentication hacks.
EXPLORING THE ‘MAGIC QUADRANT’ Safenet, Gemalto, EMC, CA Technologies, Vasco Data Security and Technology Nexus are Gartner’s choices for top user authentication technology companies in its recent “Magic Quadrant for User Authentication” report.
The consultancy rated 20 competitors according to their “ability to execute.” To Gartner, that means the “quality and efficacy of the processes, systems, methods or procedures that enable their performance to be competitive, efficient and effective – and to positively impact revenue, retention and reputation.”
Their main conclusions: Perhaps 50 vendors of the 200 or so in the market have credible offerings, and the top six above account for most of the market by customer and end-user numbers.
Gartner also rates companies according to their “Completeness of Vision,” or as they put it: “their ability to convincingly articulate logical statements about current and future market direction, innovation, customer needs and competitive forces.”
Succeeding, Gartner says, means moving with the market to mobile and cloud solutions and realizing that the legacy approaches are fast becoming obsolete.
Gartner’s famed “magic quadrant” places companies in one of four quadrants defined
MAGIC QUADRANT FOR USER AUTHENTICATION CHALLENGERS
by execution along the y axis and completeness of vision” on the x. Companies that are competent but behind others are placed in the lower-left hand “niche player” box. Those that have vision but lack execution are placed to the lower right “visionary” quadrant. Companies that can execute but lack vision land in the “challengers” box, and companies that have it all – the top six, in this case – end up in the top righthand corner, or the “leaders” quadrant. The report groups user authentication technologies into key categories including: Lexical knowledge-based authentication (KBA): A combination of password and answers to questions the user knows Graphical KBA: A pattern-based method that asks the user to produce a pattern of cells or in some cases a set of images or categories of images for each login
LEADERS
X.509 token: Similar to other tokens but often in the form of software or smart cards with the venerable X.509 public key infrastructure. SafeNet
Gemalto
EMC (RSA)
Vasco Data Security
Technology Nexus
CA Technologies
Symantec TeleSign SecurEnvoy Swivel Secure
HID Global
Entrust
Authentify
ABILITY TO EXECUTE
Equifax Deepnet Security PointSharp Microsoft
Out of Band authentication: This category of methods uses an out-of-band channel – for example, SMS or voice telephony – to send a password to the user that must be entered Biological biometrics: Characteristics such as face, iris, veins in the hand or fingerprints, usually together with PINs or passwords Behavioral biometrics: Voice, typing rhythms, a predetermined hand movement, etc. Contextual authentication: Other information about the user such as whereabouts, a specific endpoint, etc.
SecureAuth SMS Passcode
Mi-Token
NICHE PLAYERS COMPLETENESS OF VISION
VISIONARIES Source: Gartner, December 2013
Spring 2014
67
FACE + VOICE = ACCESS FACEBANX OFFERS MULTI-MODAL BIOMETRICS FOR ONLINE AUTH ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS
No username, no password. Simply look into a web cam, repeat a few random digits and you can be logged into a site or authorized to make a transaction. This is the model proposed by FaceBanx and in trial at several leading companies, says Steve Cook, director of business development at the company. To enroll, clients use their web cam to take a photo and then repeat a random string of four numbers – “1234” – four times. For every subsequent login, the client uses the camera to take another photo and repeat only once the four digits that appear in the screen. The system then conducts a one-to-many search against the face templates enrolled in a database and authenticates the actual identity with the voice, Cook explains. I played guinea pig, taking part in the demo enrollment and login system available on the Facebanx web site. Enrollment was simple, requiring only the web cam and microphone on my computer, features that are pretty standard these days. In subsequent test logins, the system was easy to use and accurately authenticated me while refusing to authenticate several friends and family members posing as me. According to Cook, one of the initial trials involves a telecom firm seeking to free its customers from passwords and save money by eliminating password reset calls. Other trials are expected to commence soon, including a multi-national bank that hopes to improve security of its customer accounts and reduce the opportunity for criminal access. Facebanx was founded two years ago to provide video chat software. One of its early clients, an insurance customer, wanted facial recognition added to spot potential fraud, Cook explains.
68
Spring 2014
Thus was born the authentication solution, which has since moved to retail, gaming, financial services and other sectors. Password reset is another common application. Instead of having to wait on hold and be asked security questions a company could deploy FaceBanx to streamline the process, says Cook. Customers would be enrolled when opening an account and then could use the system when and if needed in the future. Financial services companies in the European Union are also taking a hard look at the solution, he says. A new anti-money laundering law goes into effect soon, and financial institutions need to go to greater lengths to know their customers. Facebanx is a member of the FIDO Alliance (Fast Identity Online), an organization of more than 100 biometric and tech companies including PayPal, Google and MasterCard, working to redefine online authentication with standardsbased, open specifications for overcoming password dependency.