Regarding ID Spring 2012 by AVISIAN

Spring 2012

Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

THE GREAT

MOBILE ID EXPERIMENT

CERTIFICATE: 5332354117789200 NAME: FRANK JONES ISSUED BY: ACME INC. EXPIRATION: 04.25.2014 TIMESTAMP: 14:27:15

+ PENTAGON UPGRADES PHYSICAL ACCESS + NSTIC FUNDING PILOTS + ID FOR CLOUD APPS

Now, the future really is wide open. Introducing iCLASS SE™, enabled with the Secure Identity Object (SIO) model.

Learn about SIO. hidglobal.com/sio or scan this with a QR reader

More portable, more flexible, and more secure than ever before. iCLASS SE — the platform that simplifies everything. iCLASS SE protects the integrity of your identities, regardless of the card platform. It’s also amazingly flexible — use multiple form factors with an access control solution to create your ideal product today, then change it down the road as your business needs evolve by simply re-programming it. Powerful, adaptable and designed to be energy efficient, iCLASS SE is truly the next generation in access control. For more information, visit hidglobal.com/future-REID

Discover the genius of the world’s most Zen card printer!

Setting new standards in card printing! Evolis innovates to offer you a brand new solution to print and personalize plastic cards. Compact. Lightweight. Silent. This eco-designed printer offers unmatched print quality as well as multiple encoding options. It adapts to meet your needs: from a simple badge to the printing of technology cards. One card at a time or in small batches.

www.evolis.com

Combined with the Evolis High Trust® consumables and Evolis Premium Suite® software, Zenius guarantees you ease of use coupled with a level of performance that is unequalled on the market. Zenius is ENERGY STAR certified, and meets the requirements of the extremely demanding European ErP directive, which rewards efforts in the field of energy efficiency.

Contents 24

Cover Story The great mobile ID experiment: Policy, technology and business case remain hypothetical

Multi-function ID DC One Card expands to schools

Online ID Canada enables Bank cards for access to online government services

Biometrics Facial recognition’s privacy problem

Case study The Pentagon’s road to PIV compliance

36 32 38 56

6 | OPINION | Waiting for the mobile ID breakthrough 8 | PODCAST | Payment cards as ID tokens, Defining the mobile wallet, Google Wallet’s vulnerability, Visa explains online EMV

SPRING 2012

Spring 2012

INDEX OF ADVERTISERS AOptix www.aoptix.com/iris-recognition CSC www.csc.com/identitymanagement Datacard Group www.datacard.com/id Digital Identification Solutions www.matica.us Entrust www.entrust.com FIPS201.com www.fips201.com HID Global www.hidglobal.com/future-REID IEEE www.IEEEBiometricsCertification.org ISC West www.iscwest.com/rid Lumidigm www.lumidigm.com

35 17 2 7 3 65 68 28 41 23

10 | ID SHORTS | Key news items from AVISIAN’s online ID technology sites

30 | MOBILE | Easy, yet secure, authentication on the mobile

21 | CALENDAR | Industry events from the identity and security worlds

32 | MULTI-FUNCTION ID | DC One Card expands to schools

24 | COVER STORY | The great mobile ID experiment: Policy, technology and business case remain hypothetical

34 | PIV-I | What does DC’s move away from PIV-I mean?

64 | EXPERT PANEL | David Worthington, Bell ID: An exercise in mobility 64 | REVIEW | Google Authenticator hits and misses

SPRING 2012

Perspective EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andy Williams, andy@AVISIAN.com CONTRIBUTING EDITORS Daniel Butler, Ryan Clary, Liset Cruz, Seamus Egan, Autumn Giusti, Jill Jaracz, Gina Jordan, Ross Mathis ART DIRECTION TEAM Franco Castillo, Ryan Kline ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions.avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2011 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.com. 8

SPRING 2012

WAITING FOR THE MOBILE ID BREAKTHROUGH ZACK MARTIN, EDITOR, AVISIAN PUBLISHING

This is my second year in a row looking at mobile identity for the cover story of our Spring issue, and its the second year in a row I’m disappointed. The buzz around mobile identity is enormous. Identity experts say the mobile will bring high-assurance credentials to everyone. Federal smart card officials were livid when mobile PIV wasn’t included in the first draft of FIPS 201-2 last year, and the discussion at many of the conferences I attended focused on mobile identity. Still there is no consensus on how it’s going to be done or even how we will get an identity on the device. The issues mobile identity must confront are the same that near field communication has faced – but they run even deeper. Who owns the secure element and where’s the business case for identity on the mobile? With NFC and payments there are opportunities for the mobile operators, banks and handset manufacturers to make money because they can take a piece of each transaction. There’s already money being exchanged so it’s a matter of figuring out who gets what. Progress is finally being made but this the biggest obstacle to NFC deployment to date. With identity it’s not so obvious. In an identity transaction there’s no money being moved around, so why would a secure element owner store an identity credential? A secure element can be wired into a handset, stored in a microSD card or embedded in the SIM. Each one of these would have a different owner – one executive says you never really own a handset but just lease it – with the microSD possibly being the only one owned by the consumer. But even that’s open to some question, what if the microSD is issued by a bank or an employer? It’s likely that handsets will have multiple secure elements. But at least one of them should belong to the user. The business case for mobile identity needs to be solved in order for the technology to move forward.

This brings to light the issue of a mobile wallet. With my old school wallet, I decide which one I want (leather, Velcro, Iron Maiden), and for the most part I decide what I place in it. For example, I have to carry a driver license or government ID and may have to carry a work credential.

Adding services to a mobile wallet should be as simple as downloading an app to a smart phone. If my employer wants to issue a physical access credential, I can be told where to download it. When I leave that job I either delete it or the company revokes it over the air.

But otherwise the space in the wallet is mine to fill with whatever payment, membership and loyalty cards I choose. What Google and ISIS – the consortium of Verizon, T-Mobile and AT&T – are doing with their ‘wallets’ seems to take away my control and limit my options. I wonder it they are confusing the wallet with things that could go in the wallet.

The same should be true for payment and loyalty cards. If mobile operators, banks and others don’t do this mobile payments will suffer.

For mobile wallets to succeed they should closely mimic their real world counterparts. Give me control of a flexible, empty mobile wallet that is protected at a root level by an identity credential that I own. Then let me fill it with the accounts, services, applications and other dedicated ID credentials that fit my lifestyle.

I hope you enjoy the feature we’re calling the great mobile ID experiment.

Do you have an idea for a topic you would like to hear discussed on an re:ID Podcast? Contact podcasts@AVISIAN.com

Episode 87: Payment cards as ID tokens

Episode 88: Defining the mobile wallet

There are many discussions surrounding the multiple user names and passwords individuals must remember to gain access to accounts. Countries across the globe are investigating ways to make it easier for people to securely access information. In Canada, SecureKey Technologies will be enabling individuals to use bank cards for access to government sites, says Andre Boysen, executive vice president of Digital Identity and Authentication Services at the company.

With near field communication on the horizon and more powerful handsets hitting the market, what is the current state of the mobile wallet?

“The challenge for governments in Canada and the U.S. for that matter is that consumers don’t deal with the government that often, so when you get a special purpose government account to interact with you’ve often forgotten the user ID and password since the last time you’ve used it,” Boysen says. “So the government’s idea here is really to take advantage of a credential that you have already and make it easier for you to get online.”

To listen, visit SecureIDNews.com/Podcasts and select “Episode 87”

The Mobey Forum released a white paper that examines the mobile wallet, what it is and what it does. Gerhard Romen, member of the board of directors at the Mobey Forum and director of Mobile Financial Services at Nokia, discusses the report and why the mobile wallet is more than just payments. Romen also gives his take on Verizon’s decision not to enable Google Wallet in the new Samsung handsets in favor of its soon-to-be-released ISIS. “We define a mobile wallet as a functionality on a mobile device that can securely interact with digital valuables,” Romen said. “That allows the wallet to reside on the phone or the cloud.”

To listen, visit NFCNews.com/Podcasts and select “Episode 88”

Episode 89: Google Wallet’s vulnerability

Episode 90: Visa explains online EMV

While Google Wallet is generally viewed as secure it still does leave key personal data unencrypted, according to research by viaForensics.

Visa made waves in August when it unveiled a road map to move the U.S. to EMV and then again in January when the company said that the country’s deployment would not be chip-and-PIN.

Regarding ID’s Gina Jordan spoke with Andrew Hoog, chief investigative officer at viaForensics, about the analysis the company did on the wallet system and the privacy holes it uncovered.

Stephanie Ericksen, head of Authentication Product Integration at Visa USA, talks to Regarding ID’s Gina Jordan about the move and why the U.S. will have a different solution than what’s typically associated with EMV.

While Google made some changes to the software after the report was released, Hoog says more needs to be done. “There was a lot of information left on the device,” he says. “If somebody was trying to take over an identity, they could use this information to either pose as you or call you and act like they’re the credit card company and try to get you to release the additional information,” he adds.

To listen, visit NFCNews.com/Podcasts and select “Episode 89”

“Because we have an online environment here in the U.S., and there are many countries around the world that also have that as well, there’s not the needs to manage offline PIN and … the complexity that goes with supporting offline PIN. So EMV chip is not always necessarily EMV chip and PIN. There are many countries around the world that use EMV chip that do not have chip and offline PIN.”

To listen, visit FinancialIDNews.com/Podcasts and select “Episode 90”

ID SHORTS SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

CIRQUE DEMOS NFC-ENABLED COMPUTER TRACK PAD

for certificate management and can run hourly, daily, weekly or monthly scans to check certificates for their status.

Salt Lake Citybased Cirque demonstrated a prototype of its NFC-enabled GlidePoint computer track pad at the Consumer Electronics Show in Las Vegas. The GlidePoint NFC track pad, which can be built directly into a laptop or attached as a separate unit via USB port, features a built-in NFC antenna that can receive data from mobile devices, NFC-enabled tags or business cards, and other NFC devices with a simple tap.

New policy field alerts include issuer DN, expiry status, subject DN, key, time valid, subject names and certificate signature method.

Cirque’s technology is a patented combination of NFC and touch sensors formed by etching an NFC antenna on the margins of the sensor or integrating it inside the touch module, according to the company.

Russia has pushed back the launch of its universal eID card to January 2013. Originally scheduled to roll out early in 2012, the card is supposed to function as an electronic ID, driver license, proof of auto insurance, ATM card and immigration document.

The first laptops with embedded NFC track pads won’t hit the market until mid2013, but the USB version should debut in the coming months.

ENTRUST DISCOVERY ENHANCES DIGITAL CERTIFICATE MANAGEMENT

The product combines Entrust Discovery Agent, Entrust Discovery CAPI Scanner and Entrust Discovery Manager to use the policy field alerts to expose rogue or expiring certificates. Entrust Discovery is available as a cloud-based managed service or customers can deploy it themselves.

RUSSIAN GOVERNMENT DELAYS UNIVERSAL CARD PROJECT

In December the government amended the law mandating the project to allow for the delay. The government estimates that the project will cost $5.2 to $5.6 billion to implement.

Entrust has made enhancements to its Entrust Discovery digital certificate product by expanding search capabilities for digital certificates residing within Microsoft’s Cryptographic APIs and adding more than 25 basic or custom policy field alerts to ease certificate management.

Universal Electronic Cards, a group set up by the Communications and Press Ministry, is running the project. Sitronics has been contracted to design and make the cards but is behind on the project. Further delays are due to poor infrastructure and inter-agency cooperation, with just four of 83 regions having started work on the system.

Entrust Discovery is a certificate management tool that locates, inventories and manages digital certificates. It can work across diverse systems and aims to prevent outages, data breach and non-compliance. Users can establish and customize policies

The UEC plans to identify application sites for the universal ID and pilot them to government employees this year. In 2013, the card will be issued to those who apply for it, and in 2014, all citizens, except those who refuse in writing, will receive them.

SPRING 2012

FUJITSU DEBUTS AUTHENTEC FINGERPRINT SENSOR IN NEW PHONE

AuthenTec announced that its AES850 smart fingerprint sensor has been integrated into a new Fujitsu smart phone, the REGZA Phone T-01D. With AuthenTec’s AES850, the Android 2.3-based phone can be locked and unlocked via a quick scan of the user’s fingerprint. The sensor can also be used to control access to applications on the phone as well as provide greater security transactions at more than 500,000 NFC mobile payment terminals across Japan. The REGZA Phone T-01D also incorporates AuthenTec’s DataDefender app, enabling users to lock and unlock favorite Android applications with one swipe of a finger across the sensor. Since 2003, 30 Fujitsu phone models have incorporated AuthenTec fingerprint sensors. The REGZA Phone T-01D is currently available through NTT Docomo.

BELL ID LAUNCHES TSM SOFTWARE Bell ID launched its Mobile Token Manager, a software platform that provides over-the-air life cycle management of applications, cryptographic keys and secure elements NFC-enabled mobile devices. According to Bell ID, the solution assists mobile network operators, service providers and trusted third parties in executing complex Trusted Service Manager services and the provisioning of applications onto mobile device handsets. Compliant with industry standards, the solution can be used for international de-

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

ployments and is form factor neutral, supporting the life cycle of applications on any type of secure element, including SEs, UICCs and microSD cards.

VERIZON, ASSA ABLOY BRING NFC TO THE HOME Verizon Wireless is working with two ASSA ABLOY companies – HID Global and Yale Locks & Hardware – to demonstrate the benefits of smart phones carrying mobile keys. The Consumer Electronics Show demonstration in the Verizon booth showed how Verizon Wireless smart phones, carrying ASSA ABLOY/HID Global Mobile Keys, can be used to open doors fitted with Yale Real Living locks featuring near field communications technology. The Yale Real Living line will be compatible with the ASSA ABLOY/HID Global Mobile Keys platform, an infrastructure for distribution and management of mobile keys. The platform enables credentials to be distributed securely through NFCenabled mobile phones as an alternative to mechanical keys and physical access cards. A demonstration showed how an ASSA ABLOY/HID Global Mobile Key can be issued over the air to an NFC-enabled smart phone on the Verizon network and then used to open an NFC-enabled Yale Real Living lock.

VERIZON ICAM CERTIFIED Verizon announced certification for issuance of level three identity tokens as defined by the U.S. government. The company is the first to be certified to issue credentials that have a “high confidence in the asserted identity’s validity.”

In 2010, Verizon introduced its Universal Identity Service, a cloud-based offering for identity management, says Tracy Hulver, chief identity strategist at Verizon. This latest certification will be added as an option to that service. The Universal Identity Service performs the identity vetting, credential issuance, authentication and access management, Hulver says. “This service lowers the bar for entry for two-factor authentication,” he says. Verizon enables two-factor authentication on a smart phone, landline or email, Hulver says. Smart phone users download a one-time pass code generator or receive a pass code via a text. With the other two options, OTPs are sent to those media and used for authentication. Smart cards and OTP tokens are also available, as options but most users have opted to use the smart phones, he adds. The level three designation means Verizon is using multifactor authentication where multiple credentials – such as a user ID and a phone – are required to gain access to government and corporate networks. This enables more rigorous identity vetting and lower risk. The Kantara Imitative verified Verizon’s credentials against the Identity Assurance Framework. In November, The Kantara Initiative announced its approval by the U.S. Government Services Administration as a Trust Framework Provider program. Verizon plans to offer the new service to corporate customers and eventually sees it working with consumers and the National Strategy for Trusted Identities in Cyberspace.

ABA TASK FORCE RELEASES DRAFT The first draft of the American Bar Association Task Force Report tentatively titled “Solving the Legal Challenges of Online

Identity Management” has been posted on the Task Force Web site for review and comment. It is set out in three parts: • Part 1: Identity Management Fundamentals and Terminology • Part 2: Legal Regulation of and Barriers to Identity Management • Part 3: Structuring the Legal Framework for an Identity System The draft is still preliminary but is supposed to act as a starting point for discussion. The task force wants to move ahead quickly so input and suggested revisions are welcome, says Tom Smedinghoff, a partner at Edwards Wildman Palmer LLP and chairman of the group. There has been a change in terminology in the draft as well. The term “System Rules” is a substitute for the “Trust Framework.” This was done on the theory that “System Rules” is a more commonly used and more self-explanatory term and because the term “Trust Framework,” although frequently used, seems to generate a fair amount of confusion.

STATE OF COLORADO JUDICIAL CENTER INSTALLS 310 HID MULTICLASS READERS The Ralph Carr Judicial Center in Denver selected AMAG Technology’s Symmetry Homeland V7 Security Management System, to provide integrated access control and security management solutions from HID Global. AMAG’s Symmetry Homeland Security Management System will integrate with 310 HID RP40 multiCLASS smart card readers, which combines HID Prox 125 kHz proximity and iCLASS 13.56 MHz credentials into a single reader. SPRING 2012

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

The multiCLASS reader is capable of reading many card technologies within a single building or across multiple facilities. This includes DESFire, FIPS 201, ISO 14443B, ISO 14443A (MIFARE), ISO 15693 and FeliCa CSNs, in addition to full read/write on iCLASS and all 125 kHz low frequency formats. On track for completion in spring 2013, State of Colorado’s new judicial center will include a 12-story office building that will house seven judicial and legal agencies and a four-story courthouse that will include the Colorado Supreme Court Law Library and a large Visitors Learning Center.

GRAND HYATT SAN FRANCISCO TAPS INTO HIGH-TECH SECURITY FROM VINGCARD ELSAFE VingCard Elsafe, provider of hospitality security and part of ASSA ABLOY Group, has been selected by Grand Hyatt San Francisco to provide a package of VingCard Elsafe solutions for installation as part of the renovation of its 659 guestrooms. The completed renovation of the 38-story Union Square hotel features the addition of VingCard’s Orion energy management system, Signature RFID locks and Elsafe‘s Infinity II electronic in-room safes, all powered by the VISIONLINE wireless online access management system. The installation of VingCard Elsafe’s Signature RFID locks enable simple, contactless guest room entry, and communication with VISIONLINE by VingCard to give hotel staff a real-time view of guestroom access attempts for quick security response in the event of an intruder or to notify guests if a door is left ajar. 14

SPRING 2012

The system is also designed to be easily adapted to near field communication which will enable travelers to use their mobile phones as room keys and could allow guests to go straight to their rooms upon arrival. Additionally, the wireless management system integrates seamlessly with Elsafe’s Infinity II electronic safes so that hotel management can remotely view a safe’s locking status, enabling them to notify departing guests if they have forgotten to empty the safe. As part of a program being piloted by Hyatt Hotels, loyal guests will be given an RFID-enabled loyalty key card that they can reuse on each visit to the property and allowing them to bypass check-in.

LEGIC MMT TO BOOST MIFARE SECURITY LEGIC Identsystems announced the development of LEGIC MMT, an offering designed to provide customers with a new level of security and convenience for NXP Mifare-based environments. According to LEGIC, MMT will equip customers with new security components that will enable them to comply with the TR-03126-5 technical guideline from the German Federal Office for Information Security. This guideline, issued in 2010, describes a set of requirements for the secure operation of RFID solutions, giving manufacturers and operators of physical access systems recommendations on how to achieve a new level of security within their installations. Based on LEGIC’s Master-Token System Control, the MMT also features system management tools and certified security elements. LEGIC says the MMT will further extend the capabilities of the LEGIC advant family and simplify the use of advanced security for Mifare-based systems.

CONCERNS MOUNT OVER NEW CANADIAN BIOMETRIC PROGRAMS Privacy advocates in Canada have been raising concerns over the risk involved in two new biometric programs from the government that result in the sharing of private biometric data with other countries’ governments and possibly private corporations. The new programs are modeled after similar programs around the world that collect biometric data such as fingerprints, from immigrants traveling to the country. In addition to fingerprinting immigrants upon entry, residents of certain countries will also be required to submit fingerprints and photographs when applying for temporary residence visas. Assuming the traveler clears the background check, he will have his biometrics checked once more upon entry to ensure the traveler is the same person who applied for the visa in the first place. Citizenship and Immigration Canada (CIC) hasn’t revealed which countries will be included in the program. Chief among the worries of privacy advocates is that private contractors will handle the data collected at the borders. The CIC has outsourced some of the processing work that handles immigrants’ biometric data. In addition to this, Canadian privacy advocates have expressed concerns for the data sharing with the United States, the United Kingdom, Australia and New Zealand as a result of the Five Country Conference. The conference resulted in an agreement that the countries share biometric data of noncitizens for immigration purposes. In an effort to assuage some of the worries of privacy advocates, all five nations involved in the sharing hired a third-party risk assessment firm that offered recom-

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

mendations for mitigating risk in the data sharing. Among the measures taken are sharing biometric data so that fingerprints aren’t linked with a person’s biographical data unless a match is made, destroying fingerprints after a search, exchanging the minimal amount of information until a match is made and thoroughly encrypting files both locally and while transferring the data.

HID BUYS EASYLOBBY HID Global announced the acquisition of EasyLobby, a provider of secure visitor management solutions. EasyLobby’s product suite provides enterprise-class visitor registration, tracking, reporting, badge printing, asset and package management, Web-based pre-registration and employee/contractor time and attendance functionality. It is also integrated with a variety of access control, human resources and other systems.

GPO PRODUCES CREDENTIALS FOR SUPER BOWL The U.S. Government Printing Office designed and printed an FBI special events credential that was used by public safety personnel at Super Bowl XLVI in Indianapolis. GPO produced approximately 10,000 of these credentials at the agency’s facility in Washington DC. The special event credentials were issued to approved public safety and security personnel from local, state and federal agencies who required access to secure areas during the event.

A GPO spokesperson could not say whether any technology was embedded in the card for additional security or if it was used as a flash badge. GPO also produces other credentials for the federal government including Trusted Traveler Program cards for Department of Homeland Security’s Customs and Border Protection and the nation’s passports for the Department of State. GPO has also been certified by the General Services Administration to provide PIV services to federal agencies.

ORC IS PIV-I CERTIFIED FOR CREDENTIAL ISSUANCE Operational Research Consultants (ORC), a subsidiary of WidePoint Corp., has been authorized to issue PIV-I as a certified nonfederal issuer. As a non-federal issuer, ORC’s identity credentials – issued to government contractors, state and local governments, first responders and health care providers – have additional interoperability for customers who wish to conduct e-government and ecommerce transactions with other entities across the Federal Bridge. ORC adds this certification to its list of credentialing offerings that include the U.S. External Certificate Authority (ECA), Access Certificates for Electronic Services (ACES) and Shared Service Provider federal issuer program. Four of WidePoint’s state credential deployments will achieve FEMA interoperability capability from this certification. It will also impact the company’s deployment of contractors and trading partners under the Federation for Identity and Cross-Credentialing Systems (FiXs) certified credentialing program that converges both physical and logical access control through a direct trust relationship with the Department of Defense.

U.S. GOV SETTLES SMART CARD INFRINGEMENT CASE The U.S. government settled an infringement case with Leighton Technologies by agreeing to license its smart card patent portfolio. Terms of the settlement were not disclosed. Leighton Technologies, a subsidiary of General Patent, filed a case against the federal government in the U.S. Court of Federal Claims in January 2010. Leighton alleged that 54 federal agencies used its six smart card patents without authorization. Leighton’s technology is also used in e-passports. Leighton amended its claim in December 2010 to include an allegation that the government inappropriately used and manufactured cards with processes covered by two Leighton-held patents. Over the last two years Leighton has won a number of settlements with regards to government contractors using its technology without a license.

REGISTRATION OF NEWBORNS MANDATORY FOR E-PASSPORT IN UAE The Emirates Identity Authority (EIDA) announced that the registration of Emirati newborns is now mandatory for electronic passports and ID cards. In order to register, parents must present their own ID cards in addition to the newborn’s original summary of civil status and original birth certificate to an EIDAaffiliated registration center. The EIDA noted that there are no transaction fees for the registration service and the newly born citizen does not have to be present.

SPRING 2012

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

Once registered, an identity certificate will be issued, which can then be used to apply for an e-passport and an ID card. Each card contains the cardholder’s address, photo, date of birth and fingerprints, and can be used as an official source of identification. The scheme, which began in 2005, was designed to integrate information from labor cards, visas and other ID documents, and to make government transactions easier.

NIST ADDS NEW BIOMETRIC MODE STANDARDS The National Institute for Standards and Technology published a revised biometric standard that expands the type and amount of information that forensic scientists can share across their international networks to identify victims or solve crimes. The new standard is titled “Data Format for the Interchange of Fingerprint, Facial & Other Biometric Information” and is referenced as ANSI/NIST-ITL 1-2011, NIST Special Publication 500-290. It replace standards already in use by the U.S. and many other countries as a way to format and set a universal language for sharing biometric data as well as the information regarding how it was collected or specific characteristics in the data itself. In addition to updating language, NIST added DNA and footprint biometrics to the standard, which marks first standard set for the transfer of DNA data. Beyond this the new standard focuses on fingerprint, palm print and footprint data where it sets specific terminology for references and procedures in describing the details of collected samples.

SPRING 2012

Other new aspects include describing how to set geographic GPS points of where biometrics were collected, sending pictures, audio and video clips of crimes scene, maintaining data logs for keeping an audit trail of access to the data and the steps required for matching the collected sample. NIST officials are already working on a new version that would also include voice biometrics, traumatic injury imaging and analysis, dental forensics and conformance testing.

MULTICARD TO SUPPLY MULTI-FUNCTIONAL CREDENTIALS FOR HENKEL Multicard, a unit of Identive Group that supplies credential, identity management and system integration services, signed a contract with global consumer products company Henkel to provide a global multi-function identity card to Henkel employees. Multicard will employ its contactless smart card single ID credential to provide building access, time and attendance tracking, payment services in employee cafeterias and PKI applications for network access. According to Henkel, they opted for Multicard’s services because they could consolidate credentials for physical and logical access onto one card, which helped realize cost savings. Multicard will deploy the cards and will also be responsible for managing the program on an ongoing basis.

ADVENT INTERNATIONAL COMPLETES OBERTHUR ACQUISITION Global private equity firm Advent International completed the acquisition of the Card Systems and Identity divisions of Oberthur Technologies. Advent and its management now control 90% of

Oberthur’s capital, with the remaining 10% stake being held by Oberthur group founder Jean-Pierre Savare and his family. The value of the transaction is 1.15 billion Euros. Xavier Drilhon, former deputy managing director of Oberthur group and managing director of the card systems division, will now be the CEO of Oberthur Technologies. Advent plans to grow Oberthur through strategic external acquisitions that can further its technological advancements.

LUMIDIGM PARTNERS WITH TIGER IT FOR IRIS AND FINGERPRINT SOLUTION Lumidigm is partnering with Tiger IT Bangladesh to bring a criminal identity solution that utilizes iris and fingerprint recognition to the Rapid Action Battalion (RAB) office in Bangladesh. The solution will incorporate Lumidigm’s multispectral Venus fingerprint sensors.

UNISYS OPENS BORDER-CROSSING SYSTEM IN EL PASO The U.S. Customs and Border Protection agency is working together with Unisys on a Land Border Integration project to deploy one of the first pedestrian border crossings in El Paso, Texas. The initial phase of the Pedestrian re-engineering initiative comprises a combination of gate systems along with handheld devices and RFID technology to identify and process travelers crossing the U.SMexico border by foot. Additionally, ten fingerprint biometric capture devices will be included in the gates nearest the inspection booth for future integration into the pedestrian system.

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

Travelers crossing the border on foot will approach a gate system and present their RFID-enabled travel documents to electronic document readers. While travelers proceed to the primary inspection area, information identifying the travelers will be relayed to officers who will then determine if they are admissible into the U.S.

The jointly developed platform supports Sony’s FeliCa technology, HID Global’s iCLASS and iCLASS SE credentials, MIFARE DESFire EV1 credentials, and other technologies supporting the ISO/IEC 14443 Type A/B contactless smart card standard using the T=CL contactless transmission protocol.

The contract followed Unisys work on the Western Hemisphere Travel Initiative (WHTI) contract, awarded in 2008. Implemented at all land border ports of entry, the WHTI uses automated license plate reader technology to screen vehicles crossing the border, as well as RFID technology to confirm citizenship and identity of travelers with WHTI-approved, RFID-enabled travel documents.

The solution also supports the industrystandard PC/SC Version 2.0 specification for the programming interfaces between PC applications, the operating system and smart cards. It is also prepared to further support the proximity features of the next major release of the Microsoft Windows operating system, which enable communication between NFC tags and mobile devices as well as the Android operating system for tablet products.

HID, SONY RELEASE READER PLATFORM HID Global and Sony announced a jointly developed contactless smart card reader platform that embeds secure access control capabilities and near field communication functionality into laptops and other mobile devices. The platform holds a secure element that stores cryptographic keys which secure the authenticity and integrity of user credentials. It supports widely used contactless technologies for applications ranging from physical access control and identity assurance at the desktop to transit fare, point-of-sale collection and loyalty programs. The reader platform has been provided to the NFC Forum Certification Program as a reference sample to assist in the validation of the Digital Protocol test tools. The reader platform will also be submitted for certification.

CRYPTOMATHIC DEVELOPS MOBILE TWO-FACTOR AUTHENTICATION SUITE Cryptomathic introduced Mobile AuthApp, a line of two-factor authentication apps for smart phones. These apps enable users to authenticate themselves via a mobile device without the need for a separate authentication token. The Mobile AuthApp line can generate one-time passwords on a number of mobile operating systems, including Blackberry, Android and iOS. Due to its use of open standards such as OATH, MasterCard Chip Authentication Protocol and VISA Dynamic Passcode Authentication, the product can ingrate into existing security systems and works with the global payment network. Cryptomathic designed Mobile AuthApp to work with its existing SMS products that provide secure online access. These prevent man-in-the-middle attacks and give users preferences as to security features and functionality.

QUÉBEC TAPS DATACARD Datacard Group announced a contract award from the Société de l’assurance automobile du Québec (SAAQ) to upgrade to the Datacard MXD Card Delivery System and MXi Envelope Insertion System for enhanced card delivery and mailing for its driver licenses and identification cards. SAAQ has been a customer of Datacard Group since 2002 and mails nearly 1.8 million driver licenses and identification cards to the citizens of Québec each year. The MXD card delivery system enables on-demand printing, card affixing and form folding in a personalized card carrier that is then sent to the automated MXi envelope insertion system to be placed into a ready-to-mail envelope. Datacard Group works with government agencies in more than 95 countries, providing secure identification solutions for projects including travel documents, national IDs, driver licenses, smart IDs and e-government applications.

UAE STARTS ONLINE REGISTRATION FOR NATIONAL ID The Emirates Identity Authority announced the test launch of the registration e-form on its web site for the national ID card. Applicants will be able to avoid lines at registration centers by using the online service to fill ID forms, pay fees and get an appointment for biometric screening. The Emirates Identity Authority revealed that the total number of transactions for registration and renewal of expired ID cards at its centers exceeded 260,000

SPRING 2012

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

transactions in one week, equal to around 37,000 transactions per day. The Emirates ID card has been made mandatory for completing transactions at the Abu Dhabi Retirement Pensions fund, as well as at the Department of Real Estate Registration in Sharjah from Jan. 1.

GSA IMPLEMENTS CLOUD-BASED PHYSICAL ACCESS SYSTEM The General Services Administration (GSA) has implemented its first cloudbased physical access system at the Neal Smith Federal Building in Des Moines, Iowa. The GSA contracted with BridgePoint Systems to utilize its TrustAlert Physical Access Control System. BridgePoint partnered with EmbarkIT to install the system, which replaced the GSA’s 10-year-old legacy system. It leverages the GSA’s Kansas City, Missouri-based WAN and remote IT infrastructure. BridgePoint used the existing infrastructure at the Neal Smith Federal Building to install the TrustAlert PACS with a cloudbased protocol. The system meets federal FIPS 201 standards and guidelines. It’s interoperable among the 40-plus agencies located in the building and works with the 500-plus employees who already have PIV credentials. An additional 300 employees who currently do not have PIV credentials will transition to the new system. The PACS required the installation of 23 readers on parking gates, elevator controls and automated doors. The GSA and EmbarkIT enabled employee and contractor building access with the TrustAlert Enrollment system, which enables them to set up different levels of security clearance and access permission.

SPRING 2012

BRITISH COLUMBIA MOVES FORWARD ON CARECARD UPGRADE British Columbia is moving forward with plans to upgrade its CareCard program. The new card will provide access to a variety of regional services including electronic health records, driver license and school registration for children. The local government plans to sign a $20 million, six-year deal with Toronto-based SecureKey to provide all of the necessary technology, including contactless readers that enable citizens to tap their card to access the government stored information. The cards will be made up of an embedded security chip with advanced security features used to combat fraud. The chip itself won’t store any information. Instead it will be used to verify a person’s ID and route them, creating a secure network, back toward government information. While a lot of the services will not be immediately available, the mandatory cards will be issued to general public later this year, in November. The proposed features are expected to roll out over the next five years.

DUTCH MINISTRY OF DEFENSE OPTS FOR IDENTIVE SECURITY The Dutch Ministry of Defense (MoD) selected Identive’s SmartFold smart card readers to provide secure remote network access for its employees.

The agency has a large volume of restricted and sensitive data that has particular management requirements. The MoD felt that the Identive contact smart card reader would provide the desired level of security, yet be flexible enough to incorporate into the existing network security infrastructure. The MoD deployed 59,500 ISO7816compliant SmartFold SCR3500 mini USB readers, which were provided by SCC, Identive’s distribution partner in the Netherlands.

STATE DEPARTMENT PILOTS ONLINE PASSPORT CARD APPLICATIONS As part of the U.S. Department of State’s initiative to simplify and streamline customer service interactions and processes, the Office of Passport Services in January started a 90-day pilot program for online passport card applications. Adult U.S. citizens living in the United States and Canada who currently hold a valid 10-year U.S. passport book may participate in the program. Applications must include an acceptable digital photograph and a payment of $30 via Pay.gov. Applicants will not be required to mail in their current passport book and forms. The State Department developed the passport card in 2008 to comply with the Western Hemisphere Travel Initiative. The wallet-sized card is valid for land and sea travel to and from Canada, Mexico, the Caribbean and Bermuda, however, it’s not valid for international air travel. Since its introduction the office has issued more than 4.5 million passport cards.

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

NEW ZEALAND GOVERNMENT AGENCIES ADOPT BIOMETRIC VOICE IDENTIFICATION New Zealand government agencies Inland Revenue and Work and Income have adopted biometric voice identification as a means of verifying people when they call into the agencies. Callers can let the system record and recognize their voices so they don’t have to go through an identification verification process every time they call into the agency. Inland Revenue hopes to enroll 800,000 people within a year. Work and Income introduced the system in July and has registered 15,000 people so far, with only three percent declining to participate in the system. Since implementation, the system has successfully completed 50,000 identity checks.

One challenge of the system is that the poor sound quality of mobile phones makes it difficult to rely on the verifications made from them, which is about 38% of calls to Work and Income’s contract center.

GSA INKS ENTRUST FOR PKI MANAGED SERVICES

credentials to federal employees and contractors at more than 90 government agencies. While specific uses vary, the smart card-based credentials, coupled with PKI digital certificates, can be used for physical access to secure government facilities and logical access to protected desktops and networks.

The U.S. General Services Administration has awarded Entrust a four-year, $4.5 million contract to continue providing hosted PKI services and digital certificates as the security infrastructure for HSPD-12 initiatives. An incumbent in the re-compete proposal, Entrust has provided managed PKI solutions and services for the GSA’s credentialing program since 2007.

In 2007, as part of a six-member team, Entrust was subcontracted a portion of the GSA’s $66.3 million contract, which was then awarded to Texas-based Electronic Data Systems – now HP Enterprise Solutions – to lead the HSPD-12 managedservice offering. Entrust’s new contract is directly from the GSA, adding more flexibility to the services provided to the U.S. government.

Distributed through the GSA’s USAccess program, Entrust provides authenticated

Entrust provides PIV services to federal employees and contractors and PIV-I cer-

DELIVERING TRUSTED IDENTITIES THAT ARE

BEYOND A SHADOW

OF A DOUBT Government and business rely on trusted identities. Whether you are protecting vital information or securing a border or critical infrastructure, you need to establish, with absolute certainty, that someone is who he or she claims to be. At CSC, we deliver comprehensive identity management solutions that not only provide foolproof identiﬁcation but also rigorously protect the personal information of citizens and customers. Drawing upon our worldwide identity management experience, we seamlessly integrate the latest technologies, systems, policies and business processes into a solution that is secure, eﬃcient and, most of all, trustworthy. CSC Public Sector CSC.COM/IDENTITYMANAGEMENT CSC

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

tificates to organizations who want their certificates trusted by the federal government. In addition to user certificates, the new contract enables Entrust to provide machine and device certificates to the federal government, contractors and business partners. Entrust Managed Services PKI provides digital certificates to the federal government under the Shared Service Provider program. The program was established under the Federal Identity Credentialing Committee and Federal PKI Policy Authority to give U.S. federal departments and agencies a method to access PKI services while leveraging previous government investments.

ACCENTURE WINS $71M CONTRACT FROM DHS The U.S. Department of Homeland Security awarded Accenture Federal Services a 13-month, $71 million contract to add biometric modalities and other enhancements to the US-VISIT program. US-VISIT currently uses digital fingerprints and photographs, but a pilot program included in the contract will test facial and iris identification. The program provides biometric information to the U.S. Department of State, U.S. Customs and Border Protection, U.S. Immigration and Customs Enforcement, U.S. Citizen and Immigration Services, the U.S. Coast Guard and the Transportation Security Administration. Upgrades under the contract also will enable biometric information to be shared in real time with the U.S. Department of Justice and U.S. Department of Defense. The federal government verifies biometric information collected by US-VISIT. The information is checked against a watch list 20

SPRING 2012

of known or suspected terrorists, criminals and wanted felons, and for possible violation of immigration laws. Accenture began working on US-VISIT in 2004, overseeing operational responsibility for the Automated Biometric Identification System (IDENT). Since then, it has become the largest biometric identity solution in the world, processing more than 300,000 encounters a day against a database of more than 130 million stored encounters. The average response time for users is less than 10 seconds.

HITACHI, ISBANK PARTNER FOR MASSIVE NETWORK OF BIOMETRIC ATMS Hitachi partnered with Turkeybased banking company Isbank to bring biometric identification authentication to roughly 3,400 ATMs in Europe. While this network of biometric ATMs utilizing Hitachi’s finger vein scanning technology is the largest in Europe, it is far from the largest worldwide. Japan has embraced the technology and installed more than 75,000 finger vein-based ATMs. The now available function of authenticating one’s identity via the unique patterns of veins in a finger enables bank customers to leave their bank cards at home to access their account.

IDENTITY SERVICE HELPS GOVERNMENT AGENCIES MEET FICAM REQUIREMENTS Radiant Logic announced that its RadiantOne identity virtualization platform can provide federated identity services to enable government agencies to meet FICAM requirements.

RadiantOne uses model-driven identity virtualization to provide the functions of a FICAM Authoritative Attribute Exchange Service (AAES) to securely share authoritative identity attributes within an agency. RadiantOne provides logical service layers to act as the Authoritative Attribute Manager and Authoritative Attribute Distributor. The platform uses a virtual abstraction layer to combine identity information from disparate areas and can give a global picture of identity, yet maintain security locally. The platform consists of a Virtual Directory Server (VDS), and Identity Correlation and Synchronization Server (ICS) and the Cloud Federation Service. The three pieces work together to aggregate and correlate both agency and contractor identities. The product is able to run without custom coding or complex synchronizations.

UK TO START USING BIOMETRIC RESIDENCE PERMITS This spring, the UK Border Agency will begin requiring applicants applying for six-month stays from outside the European Economic Area to use biometric residency permits. The permits will replace the multiple documents employers in the country use to ensure their employees are legal residents as well as make the whole process simpler and more secure. In addition to the biometrics, the agency is enabling employers to check employee permit status online to better ensure the employee’s permit is valid. The UK Border Agency is offering assistance to employers to keep their employment practices legal and, subsequently, avoid the 10,000 pound per illegal employee fine. To meet the expected increase in demand, 100 Crown Post Offices in the UK will begin processing the fingerprints and photographs of foreign nationals so that the

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

smart cards with the embedded chips containing the biometric data can be quickly dispersed to those with whose applications pass criminal and terrorism checks.

IPHONES INCREASINGLY USED AS A BIOMETRIC SOLUTION FOR LAW ENFORCEMENT Thanks to device add-ons from companies such as Fulcrum Biometrics, the iPhone is seeing increased demand as a tool for law enforcement. Fulcrum’s mobileOne is a fingerprintbased device that slips over an iPhone or iPod Touch to turn it into a mobile fingerprint collecting and matching solution. In addition to enabling a user to collect fingerprint data, the phones also can then compare results to remote databases such as FBI or local law enforcement biometric databases utilizing WiFi or other wireless communication available on the phone. MobileOne is expected to undergo trials for approval by the FBI in 2012, so it could become widely available for use by any law enforcement agency in the future.

NEW CIV CREDENTIAL FROM IDONDEMAND idOnDemand announced its Commercial Identity Verification (CIV) credential. With the Identive SmartID card with CIV, private enterprises can leverage the same technology and data model that the federal government uses to establish a secure, electronically verifiable identity program without the requirement for cross-certification with the Federal PKI Bridge. This product is aimed at international or multi-site companies looking for a secure

credential that enables employees and contractors to carry only one badge to log on to the company network as well as to access facilities. The Smart Card Alliance released a white paper on CIV in October. With an idOnDemand SmartID CIV credential, enterprises can fulfill this vision while achieving high levels of access security and technical interoperability similar to those provided with Personal Identity Verification (PIV) cards. Available immediately, the idOnDemand SmartID CIV offering is fully hosted and securely managed by idOnDemand. Pricing is on a per-user basis. “Though new in concept, CIV is quickly being recognized for the strong authentication that it offers the private sector and its wide applicability based on proven, standards-based technology,” said Rob Zivney, vice president of government and standards for Identive Group. “Industry made a significant investment in smart card research and development for government sector identity applications. That technology can now be used by enterprises in the private sector without the burden of maintaining policy requirements for background checks, interoperability, and infrastructure. With CIV, the private sector now can use the same government-grade smart card with inherent cryptographic capabilities for strong authentication, and leverage recognized specifications for compatibility as they integrate the cards into their physical access or IT infrastructure.”

DARPA WORKING TOWARDS NEW INTERNAL BIOMETRIC AUTHENTICATION SYSTEMS The U.S. Defense Advanced Research Projects Agency (DARPA) is seeking proposals for research projects that could yield new biometric systems that authenticate users based on their own unique movements or behaviors such as the way they type or move a mouse.

The intent of the new project, which DARPA is calling Active Authentication (AA), is to find a new user-friendly system that can replace the password and Common Access Card-based authentication methods the Department of Defense IT systems currently require for authenticating users. Other modes DARPA officials are expecting as possible solutions, beyond keystroke and mouse movements, include eye movement and language patterns, all of which they hope to have operating so that a user can be continuously and unobtrusively authenticated. DARPA has set rules for researchers to ensure that the proposed systems do not require new hardware for scanning or biometric data collection utilizing only the keyboard, mouse, various inherent software, network cards and printer connections. DARPA hopes to have a pilot system in testing by the end of 2015.

EXOSTAR ADDS OTP TO ID LINEUP

ware tokens.

Exostar expanded its Managed Access Gateway identity management service to accept one-time password hard-

The gateway uses the Exostar-issued hardware tokens, as well as other forms of credentials, such as basic level of assurance and medium level of assurance public-key infrastructure certificates and Common Access Cards, to control access to Exostar and other service provider applications connected to the Exostar Identity Hub. Typically, one-time password tokens are used within a single enterprise. Exostar’s can be purchased and used by anyone in the Exostar community – comprised of SPRING 2012

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

more than 70,000 companies and nearly 200,000 users – to gain secure access to all applications in the community to which they have been granted permission. The Boeing Company has selected Managed Access Gateway’s OTP capability as the foundation of its One ID Supplier Identity Management program. The Boeing One ID program uses a two-factor authentication requirement that will employ Exostar’s OTP hardware tokens to authenticate access to approximately 10,000 supplier organizations and 50,000 individuals serving all divisions across the Boeing enterprise. The transition to the Exostar OTP hardware tokens will be completed during the 2012 calendar year.

IBM: PASSWORDS ON ROAD TO EXTINCTION IBM released its five in five, a list of five innovations that are going to change the way people work and live. Among the predictions is passwords going the way of the Dodo. The tech giant states that an individual’s biological makeup will be the key to their identity and safeguarding it. Individuals won’t have to remember multiple passwords but instead biometrics will unlock access. “Imagine you will be able to walk up to an ATM machine to securely withdraw money by simply speaking your name or looking into a tiny sensor that can recognize the unique patterns in the your eye. Or by doing the same, you can check your account balance on your mobile phone or tablet,” the company states. Individual characteristics will be will be collected through software to build a

SPRING 2012

unique DNA online password. Multi-factor biometrics will match a unique profile. IBM also predicts that: people power will come to life; mind reading is no longer science fiction; the digital divide will cease to exist; and junk mail will become priority mail.

‘BUTT BIOMETRICS’ IS NO JOKE A Japanese researcher has developed a biometric that could be used to protect a car from theft: butt biometrics. Shigeomi Koshimizu, an associate professor at the Advanced Institute of Industrial Technology in Tokyo has developed the technology. A seat pressure map generates 39 indices that are used to uniquely identify a subject’s posterior. Results so far have been encouraging, with average false reject rates of 2.2% and false accept rates of 1.1%. Biometrics like facial recognition and fingerprinting can be dependent on environmental factors, however, Koshimizu hopes to leverage the relatively unchanging nature of the human buttocks to improve accuracy and lower the burden on the end user. Koshimizu says the technology could also be used in offices to automatically log in to a computer.

UK AND IRELAND TO SHARE BIOMETRIC DATA TO FIGHT ILLEGAL IMMIGRATION The UK and Ireland have agreed to share information from visa applications including fingerprint data. The UK Border Agency expects the new partnership to not only enhance its ability to detect illegal immigrants but also result

in cost savings. This will potentially lead to a partnership on electronic border systems that would better identify individuals with false asylum claims and other illegal immigrants before they arrive at the borders of the UK, Ireland, the Channel Islands and the Isle of Man. Among the evidence for the need for such a partnership are the nearly 500 out of 1,516 rejected asylum claims in Ireland that were identified as being from people being referred to as “asylum shoppers,” or those that have previously submitted applications for visas or asylum in the UK or elsewhere.

BIOMETRIC VACCINATION PROGRAM RECEIVES GRANT A project from RMIT University that links infant footprint records to vaccination records has received a grant from the Grand Challenges Explorations initiative, a part of the Bill & Melinda Gates Foundation. The project, which will be piloted in developing countries, has been named Happy Feet and hopes to have the vaccination history of children immediately available through a scan or photograph of one of their feet. The team behind Happy Feet was one of the 110 receiving grants from the Grand Challenges Explorations initiative, which starts out with two separate $100,000 grants followed by a chance to receive an additional $1 million should the project prove successful. The criteria required for receiving a grant form the initiative is the use of unorthodox and attainable approaches to tackle health problems in the developing world.

CALENDAR

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

3M COGENT SOLUTION APPROVED FOR TWIC 3M Cogent announced that its biometric access control readers have passed the United States Tr a n s p o r t a t i o n Security Administration’s Transportation Worker Identification Credential (TWIC) Initial Capability Evaluation (ICE) assessment. The two readers that have landed on the TWIC ICE Fixed Reader list, which is a list of the TWIC approved biometric devices, are the MiY-ID and MiY-Card. By passing the ICE assessment, the two devices can now be implemented in the systems required under the Maritime Transportation Security Act of 2002 to biometrically authenticate the identities of those working at maritime facilities.

DISA CERTIFIES GOOD TECHNOLOGY’S ANDROID PLATFORM

March

September

ISC West 2012 March 27-30, 2012 Sands Expo and Convention Center Las Vegas, Nev.

ASIS 2012 September 10-13, 2012 Philadelphia Convention Center Philadelphia, Pa.

April

Biometric Consortium Conference and Biometric Technology Expo September 18-20, 2012 Tampa Convention Center Tampa, Fla.

NACCU 19th Annual Conference April 22- 25, 2012 Sheraton Seattle Hotel Seattle, Wash. May

October

CTIA Wireless 2012 May 8-10, 2012 Ernest N. Morial Convention Center New Orleans, La.

MRTD 2012 Eighth Symposium and Exhibition on ICAO MRTDs October 10-12, 2012 ICAO Headquarters Montreal, Canada

The Defense Information Systems Agency (DISA) certified Good Technology’s secure Android OS-based platform, which enables the Global Information Grid to use Good’s Good for Government mobile device management and data loss prevention capabilities.

NFC Solutions Summit 2012 May 22-23, 2012 Hyatt Regency San Francisco Airport Burlingame, Calif.

With the Secure Android platform, U.S. Department of Defense employees can securely sign, encrypt and decrypt e-mail, apply a secure partition on the device for business apps and access an Intranet.

by DOD Directive 8100.2, which requires use of secure, multipurpose Internet mail extension in conjunction with a DOD common access card and interoperability with the DOD’s PKI.

This is the first DISA-certified Android OS product that meets Security Technical Implementation Guide standards established

The DISA’s approval is for the Android OS on Dell Streak 5 devices. Good worked with Dell to harness the Android’s security

framework on Streak 5 devices. With the Good for Government mobility products, Secure Android OS can pass and manage data from the DOD’s Microsoft Exchange servers wirelessly via Good’s e-mail application to the Android device using FIPS 140-2 cryptographic modules with AES encryption.

SPRING 2012

ID SHORTS

ID STATS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

SALT LAKE GEARS UP FOR NFC SUMMER Isis, the mobile commerce joint venture between AT&T, T-Mobile and Verizon, is preparing to launch a largescale NFC payments pilot in Salt Lake City this summer. The pilot will also be conducted in Austin, Tex., and represents a major push by the U.S. payments industry to get customers and merchants to adopt mobile payments and smart cards. “This summer in Salt Lake City and in Austin we will be launching kind of a full frontal attack across carriers, banks and merchants,” said Jim Stapleton, chief sales officer for Isis. “Consumers [will] actually experience this new world we’ve all talked about.” According to Stapleton, an exact launch date has not been set, but the pilot is expected to run from 6 to 12 months ahead of a nationwide rollout. In addition to payments, the new service will also enable customers to store loyalty cards and coupons on their phone, creating a true mobile wallet experience. Salt Lake residents can expect to hear from banks and mobile operators early this year about how to use the new technology.

1 in 8

The number of North American and Western European mobile users will use their NFC-enabled mobile phone as a metro rail or bus ticket by 2016, compared with less than 1% today. Source: Juniper Research, ‘Mobile Ticketing Evolution: NFC, Forecasts & Markets 2012-2016’

200 million

The number of NFC-embedded handsets that will ship by the end of the 2012. Source: Deloitte

6 billion

The number of microprocessor based smart secure devices (smart card ICs) will be shipped in 2011. Source: Eurosmart

46%

The percentage of mobile phones that will be NFC-enabled by 2016. Source: MarketResearch.com

80%

The percentage of UK contactless card owners reporting that they have never used the contactless payment functionality. Source: YouGov, Mobile Wallet Study

$16 billion

The value of the global biometric marketplace in 2017. Source: Global Industry Analysts

$40 billion

The projected cost for a mandatory biometric employment verification card for all U.S. workers. Source: Chief Justice Earl Warren Institute on Law & Social Policy at UC Berkeley School of Law

1.8 billion

Shipments of hardware-based secure password solutions – including onetime-password (OTP) generators, portable smart card readers and USB tokens – will reach 1.8 billion by the end of 2016. Source: ABI Research 24

SPRING 2012

Get security and convenience... along with durability, performance and a compelling ROI. With Lumidigm, you don’t have to compromise. We call this the Lumidigm Advantage™. Quite simply, our patented multispectral imaging approach to user identiﬁcation is the best there is. Lumidigm technology was speciﬁcally developed to address the shortcomings of conventional sensors that force users to choose between security and convenience. For more information about the Lumidigm Advantage, visit www.lumidigm.com. We are available at +1 (505) 272 7057 and sales@lumidigm.com to answer your questions.

AdvantageTM

THE GREAT

MOBILE ID EXPERIMENT

CERTIFICATE: 5332354117789200 NAME: FRANK JONES ISSUED BY: ACME INC. EXPIRATION: 04.25.2014 TIMESTAMP: 14:27:15

POLICY, TECHNOLOGY AND BUSINESS CASE REMAIN HYPOTHETICAL ZACK MARTIN, EDITOR, AVISIAN PUBLISHING

SPRING 2012

Be it Android, Apple, tablet or smart phone … mobile devices are everywhere, and users want to do everything on them that they do on their desktop. As the functionality increases so do the threats to the information stored on and accessed by the devices. The same dangers that plague the desktop world are exacerbated in the mobile world. Mobile brings convenience, access and portability with a low cost of entry, but it creates a “perfect storm” of risk, explains Juan Duque, principal in the Federal Enterprise Technology Risk Services at Deloitte. “It can be the same risk you see in the non-mobile environment but it can go even deeper,” he says. “The risk universe is expanded.” The challenges with mobile devices and identity are numerous, and after years of discussion, industry finds itself in the midst of a great experiment. Significant issues surround the policies that govern these devices and credentials. Existing policy needs to be changed or created from scratch to deal with challenges the mobile devices presents to an enterprise. On the technology side many feel it is a foregone conclusion that the mobile will use some aspect of near field communication for identity. The U.S. government is looking at how the communications protocol can be used in connection with PIV and PIV-I credentials, and the enterprise sees it as a solution for converged physical and logical access control.

how this will work and who will control and profit from mobile identity. “You have this big battle shaping up,” Gold says. “If you have a secure element who is going to own and control it? It is not really owned by the end user. Even though he decides what apps and identity elements go on his handset, it’s someone else who provides the security.” Eventually the secure element will have to be owned by the end user and access granted to any application he sees fit, Gold says.

SECURE ELEMENT OPTIONS There are three options for storing identity credentials on a mobile device’s secure element. One would place it on the SIM, a smart card in the handset that is used for identification to the mobile network. This choice is handset agnostic and the mobile operators – such as AT&T, Sprint, Verizon, T-Mobile – control the SIM. Placing the credential on a microSD card that is inserted into the phone is another option. Many smart phones – Android, Blackberry but not the iPhone – have microSD slots and the credentials could be removed and placed in other handsets if an individual switched devices. In this case the issuer of the

MOBILE BRINGS CONVENIENCE, ACCESS AND PORTABILITY WITH A LOW COST OF ENTRY, BUT IT CREATES A “PERFECT STORM” OF RISK SOLVE THE ‘WHERE’ BEFORE THE ‘WHY’ One of the core issues with credentials on the mobile is where to store it on the device and who controls that area. For followers of near field communication, these issues will sound very familiar. “Who controls the secure element? Who owns the secure element? What form does it come in?” asks Terry Gold, vice president of U.S. sales at idonDemand. These questions have plagued the NFC market and delayed adoption as ecosystem players have struggled for control. On the payment and marketing side, there has been some compromise with carriers, financial institutions and handset manufacturers partnering to rollout initial services. But on the identity and credentialing side it’s not yet clear

microSD card would be its likely owner. The final option is embedding the secure element into the handset. The handset manufacturer would own this space, and many are already adding this capability to devices. Notably, RIM is going this route with its Blackberry handsets. To further cloud the issue, it’s also possible that handsets could have more than one secure element, or even all three types, with different owners for each. “Everyone wants control of the secure element in NFC,” Gold says. “On the identity side it gets difficult. If someone else owns that secure element how are you going to put an identity credential on it?” Will the secure element owner charge a fee to put a credential on the device? Will companies or organizations be willing to pay? Questions abound. SPRING 2012

THE HANDSET AS ACCESS CONTROL CARD HID Global has seen these issues arise and is designing a solution that will work in any environment and can manage the credential wherever it is stored, says Karl Weintz, vice president of business development for the mobile access business at HID. A pilot in the fall of 2011 at Arizona State University had HID Global showing how its solution can work with different handsets. The 32 participants were outfitted with one of three devices: RIM’s BlackBerry Bold 9650, Samsung’s Android (multiple models) or Apple’s iPhone 4G. The pilot relied on microSD cards and sleeves for the NFC functionality because handsets that include NFC in the U.S. are not widely available. Three separate carriers – AT&T, Verizon and T-Mobile – were used for mobile services and the credentials were manually loaded on to the handsets. HID’s solution will be handset and carrier agnostic. Because of the small size of the pilot and the control the school and vendors exerted over the pilot it was able to avoid some of the issues that may crop up during a full-scale rollout of placing the credential on the device. That said the program was still successful. Approximately 80% of the ASU participants reported that using a smart phone to unlock a door is just as convenient as using their campus ID card. Nearly 90% said they would like to use their smart phone to open all doors on campus. And, while the pilot was focused on physical access, nearly all participants also expressed an interest in using their

smart phone for other campus applications including access to the student recreation center, as well as transit fare payment and meal, ticket and merchandise purchases. HID also has a partnership with ISIS – the consortium of AT&T, Verizon and T-Mobile that will rollout NFC in 2012. This project will place the credential on the SIM, Weintz explains.

EXPAND FOCUS Having the choice to add applications and functionality to a device is important and may be critical in successful deployments of NFC. Neville Pattinson, vice president for Government Affairs, Standards and Business Development at Gemalto, says the mobile is going to impact three market – payments, transit and identity – and it should be up to the device owner which applications they choose. “People are focused on one area, but you have to look at all three and the big picture,” Pattinson says. That means being able to use a handset to securely store identity credentials as well as access to public transportation and payment data. It’s likely the mobile will store multiple sets of each type of data, Pattinson says. There may be one set of identity credentials for work and another for personal information. “We have a platform in our hands that becomes a multifunction device,” he says It could take two to three years to define the policy issues that will guide the placement of identity credentials on secure elements, Gold predicts. Until then it’s going to be a waiting game as consumers load various identity apps in an application space that may not be fully secure.

WHAT WILL MOBILE IDENTITY LOOK LIKE? The goal of mobile credentialing is to enable an individual to have the same level of interaction with a system on the handset as they would on a laptop or desktop, says Jerome Becquart, vice president and general manager of identity assurance at HID Global. HID acquired ActiveIdentity and its smart card middleware. The company is porting that software to the mobile device for access to secure email and virtual private networks, Becquart says. To date, however, the company hasn’t seen much call for the technology because the U.S. government’s policy requires the use of a smart card and PIN. HID partnered with Good Technology to deliver new government-strength, twofactor mobile authentication

SPRING 2012

and credentialing solutions for the iOS and Android platforms. The new solutions will couple the security capabilities of Good for Enterprise and Good for Government with the authentication technology of the ActivIdentity ActivClient Mobile middleware to make it easier for federal employees and the companies that support them to gain access to pertinent applications using their mobile device while maintaining necessary security levels set forth by their Information Assurance personnel. Smart phones and tablets have not been able to achieve necessary levels of security but Good Technology and ActivIdentity are working to mobilize smart cards and the underlying secure element technology. This solution

enables email and document encryption, cryptographic signing of emails and forms, and extends public key infrastructure authentication tools to custom applications previously not enabled on smart phones and tablets. As the handsets gets more functionality the use will go beyond basic access to information, Becquart says. With NFC embedded physical access control can be added to the handset as well. These converged physical and logical access systems will enable organizations to greatly increase security. Employees would have to wave their phone to gain access to the front door of a building, and if they didn’t authenticate at the door they won’t be able to access their computer.

The handset would also be the key for entry into the computer and instead of having to enter a long, complex password an individual might just have to remember a PIN, says Jon Callas, CTO at Entrust. Also, if an individual walks away with their handset the desktop would lock. The GPS feature on smart phones could also play a part with security. If the network shows that someone is trying to remotely access email from an unusual location it could check the GPS on the employee’s smart phone to see if they are in that area. “Companies will be able to look at where you’ve been and determine if a transaction is too risky,” Becquart says.

BYOD In a “bring your own device” world, corporations are faced with a major challenge. Consumers expect to be able to load the applications of their choice on to their devices, but leads to serious security issues in enterprise environments. Deloitte’s take on bring your own device is pretty straightforward, Duque says. “You’re damned if you do and damned if you don’t.”

The cons would seem to outnumber the pros but organizations are still wrestling with the issue. Duque also says organizations need to have policies in place for device configuration, devices use monitoring, data ownership and acceptable data use. These policies issues can get thorny, says Jim Zok, director of Identity and Privacy Assurance at CSC. “If I bring in my device and want to use it for work what happens if I download something? You wipe the phone but will I get

APPROXIMATELY 80% OF THE ASU PARTICIPANTS REPORTED THAT USING A SMART PHONE TO UNLOCK A DOOR IS JUST AS CONVENIENT AS USING THEIR CAMPUS ID CARD To make it easier for the corporation it can come up with a list of approved handsets from which an employee can choose. This gives the employee some options, Duque says. Otherwise it is bring your own device, and this creates issues that can literally change on a daily basis as new handsets hit the market, Duque explains. A company can achieve some cost savings if they don’t reimburse for the purchase of mobiles devices and employees don’t have to carry multiple devices, which makes it more convenient for them.

reimbursed?” he asks. “If you have a company phone does it have an approved app list?” The viruses and malware attacks on mobile devices are ever growing. “There’s practically no way to protect these devices and put an app on it,” Zok says. One solution could be two kernel handsets, says Zok. This would enable the device to have a business function and a personal function with strict segregation between the two sides. If one kernel is infected the other side would be able to function normally, he explains.

BUT THE DISADVANTAGES ARE NUMEROUS.

MOBILE PIV

Employees buy devices and try to connect them to corporate resources without approval, circumventing security. There’s an increased cost, as IT staff must support multiple devices types. Trying to keep up with the potential attacks on the different handsets can be time consuming and expensive because each mobile operating system has different attack vectors.

In the U.S. government space, enabling the mobile will take some significant policy changes. Computer scientists at the National Institute of Standards and Technology (NIST) are working on possible solution for government employees to have secure credentials on mobile devices. NIST released a revised FIPS 201-2 draft last year, and though the draft

SPRING 2012

omitted mobile ID, government smart card officials say adding the capability is imperative. The agency is exploring three options for enabling the PIV on a smart phone or tablet, says Bill MacGregor, a computer scientist at NIST. One is additional hardware that would connect the smart card to the mobile device, another is an enhanced PIV that would fully enable all functionality of the PIV’s contactless interface and last is use of a mobile device manager and a derived credential. Contact smart card readers that use Bluetooth, WiFi or a cord to securely connect the PIV credentials to mobile devices already

Since any NFC device would be able to read any PIV there would have to be a secure key placed on the mobile to make sure the credential is only being read by the properly authorized device. It would be a way to authorize the device to the credential. Secure keys would have to be issued to the mobile devices, MacGregor says. This could be as simple as a pairing PIN that could be entered into the mobile to authorize pairing. “This doesn’t require too much more functionality,” he adds.

THE PHONE COULD BE USED AS A CREDENTIAL IF THE CONTACTLESS INTERFACE OF THE PIV WAS FULLY ENABLED.

exist, MacGregor says. This option isn’t the most attractive because of the cost of the hardware and the form factor. “From a usability point of view it’s awkward and not realistic,” he adds.

ENHANCED PIV The other two options seem to be more realistic but each requires policy and technology changes. The phone could be used as a credential if the contactless interface of the PIV was fully enabled, MacGregor says. The first FIPS 201 version limited the amount of information that was available from the contactless portion of the card. If these restrictions were eliminated, near field communication devices could read the PIV and authenticate to networks, sign and read email, and complete other tasks. To do this the process for creating a secure channel between the mobile and the credential would have to be created. “It’s easy to do technically but hard for the key management,” he says.

SPRING 2012

DERIVED CREDENTIAL The other option is a derived credential and mobile device manager, MacGregor says. This option has the PIV presented to a mobile device manager which then assigns the credential to a device. The credentials would be placed on a secure element within the mobile. Only a portion of the PIV functionality would be available with the derived credential and it’s possible that different derived credentials could be issued depending on the level of assurance necessary, MacGregor says. “The chief negative of this approach is the complexity,” MacGregor says. “It needs interaction with a mobile device manager.” Enhanced PIV and derived credentials are the focus of NIST’s current efforts to enable the PIV with smart phones, MacGregor explains. Derived credentials are also mentioned in NIST’s Special Publication 800-63-1 which focuses on electronic authentication. The mention of derived credentials is in a generic form and not specific to PIV, says Hildegard Ferraiolo, a computer scientist at NIST. If derived credentials were to be included with PIV it would be included in the next draft of FIPS 201-2, which is expected sometime in the first half of 2012.

Become an

IEEE Certified Biometrics Professional

Why CBP? The IEEE Certified Biometrics Professional® (CBP) program has two major components: Certification and Training. Professionals and organizations both can benefit from the IEEE CBP program. Key advantages are: ■ Prove

your knowledge

■ Increase ■ Learn

your credibility

a baseline of industry knowledge

■ Train

employees

■ Gain

a competitive advantage

“The IEEE CBP program delivered on its promises. It strengthened some of the areas and aspects of biometrics that are less familiar to me and made me more well-rounded.”

Learn more and register today! www.IEEEBiometricsCertification.org

—Gregory Johnson, CBP, BRTRC

The notion of an enhanced PIV and derived credentials brings up some thorny policy issues, says Gemalto’s Pattinson. “NIST has a PKI policy that only allows digital credentials to be present on a smart card form factor,” he explains. There is also an issue of dealing with the same credential in more than one place. “How do you end up with one card in your hand and another in the phone?” Pattinson questions. “You can’t have the same key in two places.” This also doesn’t solve the problem of being able to decrypt email on mobile devices. “When a PKI credential is made on a PIV there are several keys and certificates associated with different functions, for example decryption, digital signature, key exchange, among others,” Pattinson says. Decrypting an email is more complicated than it sounds. For a person to send an encrypted email there has to be an encryption public key certificate available to the sender to encrypt the email so only the recipient can read it, Pattinson explains. The private key associated with this public key may be only known to the original PIV as it was generated on card at the time of issuance or activation. The private decryption key may never leave the card. In the case of a derived credential, if it does not have the original private key for decryption, there may not be an ability to decrypt the email.

EASY, YET SECURE, AUTHENTICATION ON THE MOBILE Individuals want to do more and more with the mobile devices, but often the device itself is unprotected or using additional security is cumbersome. A survey by Confident Technologies found that 65% of respondents reported using their personal mobile device to access work email or the company computer network, and more than half said they do not use a password or PIN to lock their smart phone or tablet. Some 44% of those who do not lock their mobile devices said that using a password is “too cumbersome.” An additional 66% of respondents said they try to leave applications on

SPRING 2012

their smart phones perpetually logged-in unless they are required by the application to log in every time. Logging on to Web sites with mobile devices can be difficult. Even with handsets that have QWERTY keyboards it’s difficult to enter the complex user names and passwords required by some corporate sites. Confident Technologies is trying to make the mobile login process secure as well as easy, says Curtis Staker, president and CEO at the company. With Confident’s image-based technology a user enrolls in the system by picking a category of photos, for example animals, and then chooses the specific

images for their login. When returning to the site the individual is presented with a group of images in random order and taps the ones specific to their login. The specific pictures and their location on the grid are different each time, forming a unique, one-time authentication code every time. All the user needs to do is remember a few categories and look for pictures that fit those categories. You get the usability without forsaking the usability,” Staker says.

GSMA: SIM-BASED NFC GAINS SUPPORT OF 45 MOBILE OPERATORS

However even this isn’t a hard and fast rule. Some agencies “escrow” the private decryption key initially generated off card or securely extracted off the card. This is done to allow for situations where cards are replaced or lost but the need to decrypt older email remains. That’s just one example. Figuring out how to handle these policy issues is going to take some time, possibly one to two years, Pattinson predicts.

The GSM Association announced that 45 of the world’s mobile operators have committed to supporting and implementing SIM-based NFC services. Chief among these companies are China Mobile and China Unicom, which account for nearly 800 million subscribers throughout China. Other major operators include Deutsche Telekom, KT Corporation, Orange, SK Telecom, Telefónica, Telecom Italia, Turkcell, Verizon and Vodafone. ISIS, the organization formed by AT&T, T-Mobile and Verizon to build a nationwide mobile commerce network in the U.S., has also announced its support for SIM-based NFC. According to research firm Strategy Analytics, nearly 1.5 billion SIM-based handsets will be sold worldwide between 2010 and 2016, supporting transactions of more than $50 billion globally over the period.

TECHNOLOGY ISSUES As the policy issues are being addressed, the technology continues to evolve. The lack of NFC handsets is one issue holding back mobile identity efforts, says Jon Callas, chief technology officer at Entrust. In the U.S. there are just a handful of NFC devices on the market, a couple of Blackberry and Samsung models but that’s it, he says. Google with Android and Apple with iOS must progress to make identity better in mobile operating systems, Callas adds. He believes identity should be embedded into the device, and not the decision of third-party apps. Consumers should be able to control the identity as they wish, he explains. “The operating system vendors will start to solve this problem by putting container support on the devices so that people can do identity on their own,” Callas adds. Nobody buys a new handset based on identity, Callas explains. “Identity wasn’t on the list of reasons why I bought my phone,” he says. “You buy a mobile because you want that device.” Though the mobile identity market has progress to make, both the technology and consumer adoption move quickly. Because handsets are relatively inexpensive they are replaced every one to three years, Callas explains. While both the technology and policy need to advance before mobile identity is widespread this rapid pace of consumer adoption bodes well for the market. But officials must keep this pace in mind as they define policy. “Frankly, the technology is changing faster than we can keep up with,” says Zok.

SD ASSOCIATION, GLOBALPLATFORM TO INCLUDE NFC IN NEW SD STANDARDS The SD Association has announced a new collaboration with GlobalPlatform to include smart chip technology in SD standards, enabling mobile phones and other portable devices to provide authentication services with SD memory cards. Standardized authentication services on microSD and full-size SD memory cards could transform consumers’ mobile phones and devices into electronic wallets, enabling NFCenabled cashless payments and paperless identification, plus a variety of value-added applications leveraging NFC. According to the association, offering NFC on SD memory cards opens new business models for any authentication process, including: • Mobile commerce: Consumers can use devices equipped with smart microSD cards to make contactless payments for anything from groceries to subway fare. • Customized services: Content and service providers can customize features, offers and rewards automatically, eliminating manual entry of customer identifiers such as account or rewards card numbers. For example, airlines could automatically review customer accounts for upgrade and other frequent flier rewards. • Secure access/Personal ID: Users could store digital identification cards and redeem access control credentials on their mobile device. • Secure voice: Smart microSD cards can support hardware encrypted voice services, a security method used by governments, emergency services and corporations. In each of these new business models, the microSD and full-size SD memory cards would provide the secure element, based on GlobalPlatform standards, for authorization purposes and would only be active in the authorized device.

SPRING 2012

DC ONE CARD EXPANDS TO SCHOOLS BUT SCALES BACK TAXI DRIVER PROGRAM, USE OF PIV-I JILL JARACZ, CONTRIBUTING EDITOR, AVISIAN PUBLISHING

SPRING 2012

After a year of retooling its DC One Card program, DC officials are reconsidering the use of PIV-I and authentication of taxicab drivers, but they have added a school transit subsidy feature that all DC school children will use. 2011 saw a delay in the implementation of credit card readers and PIV-I identification options for taxicab drivers. The program was intended to enable drivers to use the DC One Card to sign in and verify identity at each shift. “The taxi cab project started, went cold for several months and is now considered a potential project,” says Rob Mancini, chief technology officer for the District of Columbia. As a whole the district is reviewing whether or not PIV-I is the correct technology. While the taxi project was on hiatus, the DC One Card program underwent many changes in order to ensure that its applications add value. “Instead of a research and development exercise that created products with no demand, we put some discipline around the group,” says Mancini. Along with refocusing the group’s efforts, the office restructured the way it issues cards. Instead of having a large staff doing a lot of hands-on work, the office outsourced it’s printing to the Government Printing Office (GPO), says Mancini. DC One Card recipients then receive the card in the mail. “We tried to make the program more efficient,” says Mancini. As a result of outsourcing the printing of DC One Cards to the GPO, the CTO’s office realized some cost savings. The cost of student cards dropped 52 cents from $7.72 to $7.20 per card. Citizen cards

dropped about 10% from $11.63 to $10.24 per card. Citizen cards are more expensive to produce because of the higher level of identity vetting required and the additional mailing costs involved. About 90,000 cards have been issued, says Howard Barrett, program manager of DC One Card and portfolio manager for planning and economic development in the Office of the Chief Technology Officer. Barrett, who took on the DC One Card management duties in June, is driving the direction of the credential, working to control costs and interacting with other agencies, Mancini says.

PIV-I ON THE BUBBLE? In terms of the taxicab project, which originally called for drivers to have PIVI credentials for authentication and meter activation, as well as the installation of credit card readers in cabs, this has meant a little scaling back. The Office of the Chief Technology Officer is questioning whether or not the PIV-I technology offers enough value for the cost, Barrett says. There would have to be many uses for the credential in order to reap the full benefits, he explains. “If we had multiple agencies we could support [with PIV-I] we’d think about it. It’s not required as a solution, so we’re not going to use it as a solution for taxicabs at this time,” says Barrett. In 2012, the CTO’s priority is to implement credit card readers in taxicabs. The District’s Office of Contract and Procurement released a request for proposal in the beginning of 2012 and will award a

vendor contract in early summer. The hope is to have credit card pointof-sales devices in cabs by the fall of 2012. Barrett says it’s likely that not all cabs will have capability by then, but the system will have operational deployment. The District is one of the last large municipalities to add credit card capabilities. In 2013, they will reevaluate the ability to use PIV-I, which means any such functionality is unlikely to be realized until 2014.

STUDENTS GET DC ONE Although the taxicab project was delayed in 2011, another project made use of the DC One Card as a platform. This past year the Office of the Chief Technology Officer partnered with the District Department of Transportation to add the school transit subsidy program to the DC One Card. Mancini says the transportation department approached his office about adding this program, which is a four-way partnership between the CTO, transportation, the school system and the Metro. It will take 18 months to roll out, and will cover the approximately 14,000 students who participate in the Transit Subsidy Program. The DC One Card replaces the current paper voucher system. “[It gives us the] ability to control eligibility and use of the program in a more efficient way,” says Aaron Overman, acting associate director of the Progressive Transportation Services Administration at the transportation department.

OUTSOURCING PRINTING TO THE GPO REDUCED THE COST OF STUDENT CARDS TO $7.20 AND CITIZEN CARDS TO $10.24 SPRING 2012

With the analog system, there was no way to trace use of the program back to the student, says Overman. This made it possible for fraudulent use student transit subsidies. “Anecdotally we hear all the time about students graduating high school and taking a younger student’s card,” says Overman. If students lost their transit pass, they also had to pay to replace it. Tying the subsidy to the card enables electronic trace back. If a card is lost or stolen, it can be turned off and the subsidy can be prorated onto a new card. “It lessens the burden of lost or stolen cards,” says Overman. Parents pay $30 per month per student for the transit subsidy. An adult fare is five to six times that much, says Overman. This initiative started as a one-school pilot program last April. “It was easy to work out the kinks,” says Barrett. The preparation for this pilot involved writing code that took about two to three months.

Due to the success of the pilot, the program expanded to the seven secondary schools in fall 2011 and to all public high schools and middle schools at the end of 2011, with a mandate of all eligible students needing to use a DC One Card for transit subsidies starting on Jan. 1, 2012. The next step will be adding the city’s 60 to 70 charter schools to the program, which will cover the remaining 50% of the district’s students. Overman says the office will implement a three-school pilot in March or April 2012. Adding the charter schools to this program provides challenges in that each charter school is run individually and the department of transportation will have to bring these smaller, individually run systems into one larger system. “If we can get everything working, then definitely next fall (all schools will be live). Our goal is to have every single school in the district,” says Overman.

The transportation department projects 20% savings in converting to the electronic transit subsidy program. Many charter schools also see potential uses for the One Card such as adding lunch programs, attendance and library usage applications to it. “It’s up to each individual school in how they use the card,” says Overman, adding that each school can work on what applications they’d like to add to realize further savings and efficiencies. “School transit is starting as a first piece of what we’d like to see,” says Overman. Just as Overman sees transit is the first step for schools, many see schools as the first step for the DC One Card. The sky can be the limit with these types of programs, as people imagine more and more applications and functions. But, as DC found with both taxicab and PIV-I additions, implementation and budgets can be the real challenge to rollout.

What does DC’s move away from PIV-I mean? In 2009 Washington DC was committed to PIV-I. The district intended to issue credentials to first responders with plans to extend the program to city workers. In 2010 the agency announced a program that would issue PIV-I credentials to taxi drivers and even citizens to enable residents to ride the Metro, check out library books and access schools and recreation centers.

DC will also consider new, emerging technologies before making the decision to invest in a specific platform Some of these uses cases are still moving forward, tens of thousands of cards have been issued, but none are PIV-I. The district didn’t see the use case for the technology, says Howard Barrett, program manager of DC One Card and Program Management Office and portfolio manager for planning and economic development in the Office of the Chief Technology Officer.

SPRING 2012

“There are a couple of factors influencing the current status regarding PIV-I implementation,” Barrett says. “A significant upfront investment is required, (and) there is also a need to ensure an appropriate return on investment should DC government pursue PIV-I deployment.” Deploying a PIV-I system is expensive and the district wants to make sure that cost is justified. “We just a need to ensure costbenefit objectives will be realized for the substantial investment,” Barrett adds. “In addition to existing available solutions, DC will also consider new, emerging technologies before making the decision to invest in a specific platform.” This is going to be common as jurisdictions and corporations consider deployment of identity credentials, , says Salvatore D’Agostino, CEO at IDmachines. Outside of organizations that have a lot of interaction with the federal government, such as large defense contractors, PIV-I may not make sense, he says. As it stands now, PIV-I is expensive and deploying it for anything other than an enterprise application would be a stretch, D’Agostino says. “Where it goes wrong is when it depends on an edge use case, like taxi cab drivers,” he adds. “You can’t do it because of an edge case, you have to do it because of an enterprise case.”

Dynamic Duo The New AOptix InSight ÂŽ Duo Combines the Performance of Iris and the Utility of Face

The AOptix InSight Duo is the first and only system to simultaneously capture both an ISO / ICAO compliant face image and one or two ISO-standard iris images. The fast, automatic, non-contact capture takes mere seconds and is effortless for subjects, and if present, operators. Bringing seamless multi-modality and potential for biometric fusion, InSight Duo heralds a new era in conclusive authentication for identity-dependent applications including aviation security, expedited passenger processing, transportation, and border security.

For a demonstration or more information, please contact us or visit us online at www.aoptix.com/iris-recognition ÂŠ 2012 AOptix Technologies

T. 408.558.3300

CANADA ENABLES BANK CARDS FOR ACCESS TO ONLINE GOVERNMENT SERVICES GINA JORDAN, CONTRIBUTING EDITOR, AVISIAN PUBLISHING

The Canadian government is working with financial services companies to enable consumer’s to use bank-issued credentials and payment cards for access to government services, negating the need for special purpose IDs and passwords that are infrequently used and thus difficult to remember. Toronto-based SecureKey Technologies was hired by the Canadian government to launch the credential broker service. The broker service is designed to protect consumer privacy, says Andre Boysen, executive vice president of Digital Identity and Authentication Services at SecureKey. Canada is looking for an easier way to give citizens a choice about how they access services online, he explains. “When a consumer uses the service, the government does not get any information about the bank that you’re coming from or your account details,” Boysen says. “Nor does the government give any information to the bank about what government program you’re accessing or for what purpose.” SecureKey sits in the middle and doesn’t know anything about the user’s identity. “Consumers don’t deal with the government that often, so when you get a special purpose government account you’ve often forgotten the user ID and password since the last time you used it,” he explains. “So it gets more expensive and more challenging for the government to serve you. The idea is to take advantage of a credential that you have already rather than having a special purpose one just for government.” Alison Brooks, research director with IDC Government Insights in Canada, says the brokerage service is a great idea. “Governments are always looking for easy ways that are proven and secure and the banks are very vested in making sure that their transactions are secure,” she says. “This is one of the things that actually keeps government awake at night.”

system. When they visit a government site they can choose to create a new login that is unique for the government application or use their banking information. If they choose the latter they are directed back to the bank site, asked to login and provide required identification information. Once verified, they are able to use the user name and password from their bank for access to the government site. When a user authenticates with their bank, the bank will give SecureKey a non-identifying security token. SecureKey then substitutes the token with a new non-identifying but unique token for the Government of Canada that says the user has been authenticated. The CBS service is ‘triple-blind’ so no party to the transaction knows who has provided precisely what, thus ensuring the user’s privacy. SecureKey is simply a broker of anonymous credentials. The Government is responsible for ensuring that it is you accessing your information. The bank is responsible for providing a valid security “token” that only you have so that you connect to Government services more securely. Boysen says they’ll start with things consumers already have – a user ID and password. But other more secure options are also available including contactless payment cards and contact EMV cards. One of the bank partners issues contactless smart cards in the market. “We’ll use our SecureKey reader so that users will be able to tap a credit card in addition to a password and get access that way,” says Boysen. The contactless reader houses a secure chip and looks like a USB flash drive. “Tap the credit card on our reader and we’re able to get a message from the card which we authenticate with the bank,” says Boysen. “Then the consumer will enter their online ID and password … we return them to the government service and the user is authenticated.”

HOW IT WORKS

PRIVACY IS PARAMOUNT

Consumers will be able to visit a government department online and go through the credential broker service for authentication. SecureKey is launching with three of the largest banks in Canada – BMO Financial Group, TD Bank Group and Scotiabank – and plans to add more in the future. Canadian citizens have a choice of whether or not to use the

For the brokerage service to be successful, users must be convinced that their information is private and safe. Boysen says the interest of the banks is to serve customers and not be invasive. He says users should find comfort knowing that any authentication solution relating to consumer information must get the approval of the Privacy Commissioner of Canada.

SPRING 2012

“

GOVERNMENTS ARE ALWAYS LOOKING FOR EASY WAYS THAT ARE PROVEN AND SECURE …

… AND THE BANKS ARE VERY VESTED IN MAKING SURE THAT THEIR TRANSACTIONS ARE SECURE

“For anybody who is skittish or worried that this is a bad idea, the Government of Canada will provide an alternative,” says Boysen. “If you want to have a special purpose Government of Canada account, you can do that. But for those people that believe that this is actually being done for their convenience and it is being done in the right way with the oversight of the Privacy Commissioner, they have a more convenient way to get access to services online.” The service is part of Canada’s Cyber Authentication Renewal initiative. Boysen thinks it could also be a solution for the U.S. National Strategy for Trusted Identities in Cyberspace (NSTIC). “There’s no reason that this model couldn’t work there,” said Boysen. “The federal government can rely on the authentication results, and the banks get identity credentials that they need so badly to help provide better service online and thwart identity theft.” In the end, the goal is to provide an efficient, effective mechanism for consumers to safely identify themselves online. “We’re trying to work with the most trusted players in the economy,” Boysen explains citing governments, banks and eventually telecom companies. Brooks agrees, adding that the Internet is crying out for this kind of solution. “Government organizations are getting a bit desperate to find services and solutions that don’t reinvent the wheel, that they can just pick up and run … and that are proven,” she says. SecureKey expects the credential broker service to go live by mid-2012. It will be available for all Government of Canada departments and agencies. The service is free for Canadians with the cost being borne by the government.

SPRING 2012

FACIAL RECOGNITION’S PRIVACY PROBLEM

Name : Edward Stiller Age : 32 Date of Birth : 03/09 Location : New York, NY Drivers License : C234-2341-15121 Occupation : Accountant Marital Status : Single Children : 2 Click for bio information

RYAN CLARY, CONTRIBUTING EDITOR, AVISIAN PUBLISHING

Once the stuff of sci-fi and spy flicks, facial recognition technology has evolved into a concrete reality touching nearly everyone on the planet. The technology figures prominently in post-9/11 security. According to the International Civil Aviation Organization, 93 countries now issue passports containing the bearer’s biometric facial data. A number of U.S. states use facial recognition to prevent individuals from obtaining multiple driver licenses under different names. And law enforcement agencies successfully use it to identify criminals from video footage. In the pre-Google, pre-cloud computing era, the technology required for these facial recognition systems was exclusively in the hands of the governments and organizations that deployed them. Flash-forward ten-years and the technology is available off the shelf, biometric databases are booming and the personal information of millions of people is freely available in the cloud. These new circumstances have prompted the International Biometrics and Identification Association (IBIA), a trade association promoting the appropriate use of identity and security technology, to raise the red flag on an impending “perfect storm.” The IBIA warns that this perfect storm may destroy the barrier separating our online and offline identities, altering our notions of what constitutes privacy in today’s connected world.

IDENTIFICATION IN MOMENTS Imagine a scenario in which anyone with a mobile device could capture an image from a distance and use facial recognition soft-

40 38

SPRING 2012

ware to identify the individual and access a wealth of personal information that they or others, have uploaded over the years. Researchers at Carnegie Mellon University have already done it. In August a team led by Carnegie Mellon Professor Alessandro Acquisti reported that they had successfully combined three technologies accessible to anyone – a commercially available face recognition tool, cloud computing and public information from social network sites such as Facebook – to identify individuals online and in the physical world. In their first experiment, Acquisti’s team was able to scan profiles on a popular online dating site and identify users – protected under pseudonyms – based on their photo. In another experiment, the team used the technology to identify individuals on the campus based on their Facebook profile photos. A third experiment found the researchers identifying students’ Social Security numbers and predicting their personal interests using a photo of the subject’s face. “The results foreshadow a future when we all may be recognizable on the street – not just by friends or government agencies using sophisticated devices – but by anyone with a smart phone and Internet connection,” said the researchers. This is possible now because of exponentially increased accessibility, according to the IBIA. Identification databases were once small and tightly controlled, but today anyone with the right computer program can build massive databases using the billions of identity-tagged photos openly available online. Another new point of access is the digital camera. According to IBIA, when facial recognition was first invented twenty years ago, digital photography was exclusive, expensive, time con-

suming and certainly not within the reach of the average citizen. Today it’s a standard feature on most cell phones and inexpensive point and shoot models are everywhere. This has made it much easier for users to create and upload the digital images necessary to form facial recognition databases. Smart phones are particularly problematic in that their connectivity enables users to seamlessly take and upload digital photos. Increasingly powerful processors also enable smart phones to run complex applications such as facial recognition, says IBIA. IBIA also points to the improved speed and accuracy of algorithms. According to independent measurements by the National Institute of Standards and Technology, facial recognition algorithms are one hundred times more accurate and up to one million times faster than past systems. Improvements have also made modern systems less reliant on precise facial placement and controlled lighting for accurate operation. These improvements have led facial recognition out of the lab and on the road to pervasive use in the real world. In response to this summer’s riots in the UK, police turned to facial recognition to identify looters caught on camera. Police ran these images against a face-matching database that Scotland Yard constructed in preparation for the 2012 Olympic Games in London. On the same front, a cadre of so-called digilantes formed a Google Group to use Face.com’s facial recognition API to identify rioters. The group produced no clear results and disbanded in August, but it was successful in demonstrating that the technology is accessible to average citizens.

ADDING THE SOCIAL NETWORKS In order to “help make tagging your friends easier,” Facebook added an app that automatically identifies other Facebook users in uploaded photos. It prompts users to tag others based on the app’s suggestion. Each time a photo is uploaded to Facebook with your name attached, this “Tag Suggest” app gathers data from the photo and learns how to better identify you in future uploads. Although Tag Suggest is a default setting on many profiles, users can turn it off through their privacy settings. Still the ability for Facebook to recognize you and

build on its biometric database is preserved. Since its debut in June, Tag Suggest has been rolled out in most of the countries represented on Facebook, but not all are happy about it. In November, Germany’s data protection agency announced its intention to file suit against Facebook over Tag Suggest. The agency claims that Facebook compiled its massive facial recognition database without the prior knowledge or consent of millions of users, resulting in a wholesale invasion of privacy. At this time no lawsuit has been filed.

WHAT CAN BE DONE? Aside from legal action, there are a few steps that can be taken to protect individual privacy. According to IBIA, banning the technology is a “desperate act” and ultimately futile. As IBIA report author Joseph Atick points out, past attempts to stifle useful technologies have been unsuccessful, and facial recognition is too vital a security tool to throw out with the bathwater. Atick argues we must begin by changing the way we look at identity-tagged images in the cloud. These, Atick says, must be treated like any other personal identity information and should be subject to the same protections as social security numbers, financial data and health care records. Accordingly, any security breach on an image site should be countered with equal severity. Additionally, Web sites hosting identitytagged images should set up protections against software that aims to harvest images for the creation of databases. Finally, Atick advocates for a warning system to alert consumers uploading images that the photos could be used for facial recognition. In this way, the consumer is given the chance to “opt-in” to sharing such information, rather than do so unknowingly. The moment of convergence for this “perfect storm” has not yet arrived, according to the IBIA report – but it is inevitable. In order to reach the level of widespread privacy invasion suggested by the Carnegie Mellon research, the technology still requires additional refinement, as suggested by the failure of the Google digilantes. Thus IBIA says there is still time for the facial recognition industry to establish selfregulatory measures to protect individual privacy while allowing the technology to serve as a valuable security resource.

FTC EXAMINES FACIAL RECOGNITION The Federal Trade Commission (FTC) is seeking public comments on facial recognition technology and the privacy and security implications raised by its increased use. The FTC held public workshop to address commercial applications of facial detection and recognition technologies at the close of 2011. Participants explored current uses, future uses, benefits and potential privacy and security concerns. Facial detection and recognition technologies have been adopted in a range of new contexts, ranging from online social networks such as Facebook and Google+, to digital signs and mobile apps. The increased use has raised a variety of privacy concerns. The FTC collected public comments on issues raised at the workshop, including but not limited to: •

•

What are the privacy and security concerns surrounding the adoption of these technologies, and how do they vary depending on how the technologies are implemented? Are there special considerations that should be given for the use of these technologies on or by populations that may be particularly vulnerable, such as children? *What are best practices for providing consumers with notice and choice regarding the use of these technologies? Are there situations where notice and choice are not necessary? By contrast, are there contexts or places where these technologies should not be deployed, even with notice and choice? What are best practices for developing and deploying these technologies in a way that protects consumer privacy?

A report is likely though no timeline has been published.

SPRING 2012

41 39

NEW ANDROID APP DETERMINES AGE VIA FACE RECOGNITION

KRAFT FOODS USES FACIAL RECOGNITION TO GUESS AGE

ANDROID’S FACIAL RECOGNITION NOT VERY SECURE

A new app for Android phones has developed by AppTech purports to be capable of recognizing a person’s age via the built-in camera on the phone.

Kraft rolled out vending machines in Chicago and New York to provide free dessert samples to adults. The machines estimate the age of the individual using facial recognition technology.

The facial recognition feature that’s part of the most recent incarnation of the Android mobile device operating system called Ice Cream Sandwich is being panned as very easily fooled, according to an Information Week article.

The machine uses a biometric scanner to estimate the age and gender of people standing in front of it, and will serve adults but refuse children. The machines are being piloted at Chicago’s Shedd Aquarium and New York’s South Street Seaport.

The feature uses a front-facing camera to enable a registered user access to the phone and apps. But it reportedly can be fooled by presenting a printed photo of the registered user.

The app, called ReconAge, utilizes face recognition technology from biometric developer Cognitec Tecnologia Brazil and data processing technology from data processing specialist BrScan Tecnologia. The long-term hope for the app, which utilizes real-time face recognition, is to give marketers and advertisers the ability to know a user’s age when targeting messages. Releases of ReconAge for the iPad and iPhone are expected in March.

The iSample is designed to offer free samples of Kraft’s new offering Temptations, a dessert marketed at adults. None of the information captured by the machine is stored or used later.

Among solutions to improve the facial recognition feature would be the addition of liveness detection by requiring a user to smile or wink while in process of authenticating, thus a rendering the photograph spoof impossible.

facial recognition update

42 40

RHODE ISLAND DMV USING BIOMETRICS TO FIGHT FRAUD

ALABAMA JAIL DEPLOYS 3D FACE RECOGNITION

3D SYSTEM THWARTS COMMON PHOTO SPOOF

The Department of Motor Vehicles in Rhode Island is using facial recognition in its license and identification card issuance programs in an effort to curb identity fraud.

Madison County Jail in Alabama implemented a 3D face recognition system to prevent the accidental release of the wrong inmate.

Ireland’s Viv.ie announced its new facial recognition technology that claims to solve a number of the security pitfalls common with mobile phone facial recognition offerings.

The system the DMV utilizes compares all the photos taken for state-issued ID cards and runs them through the face recognition software to check if an individual has more than one license under different names.

Releasing the wrong inmate may seem unlikely but it has happened, states Steve Morrison, the chief deputy of Madison County Jail. Now the same technology that was used to positively identify the body of Osama bin Laden is being used in the jail.

It has caught the attention of privacy advocates who worry the use of facial recognition with stored state ID photos could be an invasion of privacy.

It is the first in the state to get the National Security Resources’ 3D facial recognition program. It’s costing the county $15,000 for the first phase.

Despite the worries, the DMV maintains that the program is only used when fraud is suspected and depends on final human assessment.

The same system is expected to be deployed in the United Kingdom’s bus depots and subway systems and will go into Reagan and Dulles airports, as well the U.S. Courthouse in Atlanta.

SPRING 2012

Face recognition is gaining traction in the smart phone market, where individuals gain access to the device using the front facing camera on the device. Progress, however, has commonly been thwarted by hacks that simply hold a picture of the user up to the device. Viv.ie claims to have solved this problem through image detection that looks to ensure the sample is in three dimensions. Additionally, the developer is expecting to deploy similar technology that will be able to detect if the sample is fed from a prerecorded source or streamed to the software.

/ SPRING 2012

NSTIC TO FUND $10M FOR PILOTS CYBER SECURITY STEERING COMMITTEE FORMING

The National Institute of Standards and Technology will evaluate pilots to support the National Strategy for Trusted Identities in Cyberspace and will also help establish a privately lead Identity Ecosystem Steering Group.

2 UP TO

MILLION

A YEAR FOR EACH SELECTED PROGRAM

SPRING 2012

NIST has budgeted $10 million for the pilots and anticipates funding five to eight separate projects. Each selected pilot will last up to two-years and receive between $1.25 million and $2 million per year, though proposals requesting smaller amounts may be considered. The deadline for submitting initial proposals was March 7. For the initial round of proposals, NIST requested concise, five page descriptions of what the pilot would entail, says Jeremy Grant, senior executive advisor of ID management at NIST. There will be a cut by the end of March, and selected applicants will be asked to submit in-depth proposals by the end of April. Funded pilots should be announced at some point in the summer. The opportunity cites a number of barriers that have prevented identity solutions from being widely deployed in the marketplace including: • The need for technical standards that ensure interoperability among different identity authentication solutions.

• A lack of clarity about liabilities when something goes wrong. • No common standards for privacy protections and data re-use. • Issues with ease of use for some strong authentication technologies. Specifically, NIST is seeking pilots that address some or all of these barriers while adhering to the four central principles guiding the strategy: identity solutions should be privacy enhancing and voluntary; secure and resilient; interoperable; cost effective and easy to use. For example, the funding opportunity notes that proposals could include, but are not limited to, technologies or approaches that: • Create identity hubs to quickly validate credentials with strong authentication methods meeting agreed upon standards, • Provide incentives for consumers to use trusted authentication methods in lieu of user IDs and passwords,

IDENTITY SOLUTIONS SHOULD BE PRIVACY ENHANCING AND VOLUNTARY; SECURE AND RESILIENT; INTEROPERABLE; COST EFFECTIVE AND EASY TO USE.

• Include improved ways to enhance consumer privacy, while simultaneously meeting business and security needs, or • Demonstrate interoperability across various technologies such as smart cards, one-time passwords or digital certificates.

REPORT COMMISSIONS STEERING COMMITTEE One of the core tenants of the national strategy is that it be lead by the private sector, says Grant. The creation of the steering committee is a step to make sure that happens. In early February NIST released a report defining this committee entitled, “Recommendations For Establishing An Identity Ecosystem Governance Structure.” The committee will be open to anyone, Grant explains. “We want to have a good balance of stakeholders, so we don’t have one company abuse the process,” he adds. In order to prevent large companies from controlling the committee, NIST describes multiple safeguards that are designed to provide protections for individual privacy and the underrepresented and guard against undue influence by any single stakeholder group.

SAFEGUARDS CALLED FOR IN THE REPORT INCLUDE: • Privacy Coordination Committee: A permanent body responsible for reviewing and approving all Steering Group standards, policy and procedures to ensure they do not violate accepted privacy standards. • Ombudsman: An impartial and unaffiliated officer responsible for supporting equitable representation of all stakeholders and individual

participants and upholding the guiding principles. • Operating principles: All operations within the Steering Group should be conducted in accordance with the principles of openness and transparency, balance, consensus and harmonization. • One member, one vote: Within the Plenary and on the Management Council no single stakeholder group or organization should have more than one vote in decision-making proceedings. • Multiple pathways to participation: The Identity Ecosystem Steering Group should maintain multiple pathways to enable all stakeholders the broadest opportunity to take part – directly or indirectly – in the Steering Group. The government recommends a Steering Group structure with two bodies, a Plenary and a Management Council, with supporting roles and dispersed decision making responsibilities. The Plenary should be a large body containing working groups and committees dedicated to conducting the work required for establishing and adopting standards, policies and procedures to govern the identity ecosystem. The Management Council should be a smaller group consisting of officers, delegates from stakeholder groups, and at-large delegates. This council should be responsible for providing strategic guidance to the Plenary, supervising its progress, and resourcing its operations. Grant is also working on funding some of the groups in the steering committee so stakeholders don’t have to worry about paying for expenses related to participation in committee activities.

WE WANT TO HAVE A GOOD BALANCE OF STAKEHOLDERS, SO WE DON’T HAVE ONE COMPANY ABUSE THE PROCESS. SPRING 2012

IDENTITY AWARD WINNERS ANNOUNCED At the end of each year, the annual Cartes & Identification conference in Paris, France starts off with the Sesames Awards for excellence in identification technologies. For 2011, ten separate awards were given to global players in the sector – manufactures, users, integrators and developers – each selected by an international panel of experts.

The winners are: Best Hardware: Dynamics with Chip & Choice The card has multiple chips and buttons. Only one “chip” is used for EMV purposes. A user presses a button and the payment application associated with that button is loaded into the EMV chip. The solution solves the point-of-sale software fragmentation problem that has prohibited the rollout of advanced EMV applications.

Best Software: NXP Semiconductors with Open Source NFC Host Software stack for Android This product is a full NFC mobile phone host software stack. It is provided in open source to enable the launch of Android NFC phones, serving as reference in official Google Android releases. It supports all NFC applications, and enabled the deployment of first commercial NFC services including Google Wallet.

SPRING 2012

Best Production & Tests application: Oberthur Technologies - ID One Digital Watermark ID-One Digital Watermark is a technology embedded into the electronic component of an identity document - such as passports, national identity cards or driver licenses - which can warn officials if that document has been tampered with or modified. After the chip on the document is read the facial photo will look different in the inspection system alerting officials that tampering has occurred. Best Transportation Application: Inside Secure with VHBR The Very High Bit Rate (VHBR) application accelerates data transfer between contactless cards and readers providing data transfer rates up to 64 times faster than basic bit rate systems. It is ideal for systems that require download of a high volume of data, such as identification systems that require a photo, or in systems requiring rapid throughput, such as transit systems.

Best Identification/ID Cards Application: Smart Packaging Solutions with Embedded Contactless Module The SPS embedded contactless module is an alternative manufacturing process to the traditional contactless inlay technology. It enables contactless cards to be manufactured using the same equipment that creates contact cards. It provides benefits for card manufacturers such as costs-savings, higher card reliability and a more secure manufacturing flow.

Best IT Security Application: Gemalto with Just4YourEyes Just4YourEyes is a cloud-based service that removes the need to store PKI credentials on multiple devices. The solution enables any mobile device, or a secure element within that device, to access the PKI credentials required to encrypt or sign emails.

Best Banking/Retail/Loyalty Application: Simartis Telecom with Bubble Bubble is a SIM&Server solution that offers mobile network operators (MNO) a way to display commercials based on a consumer’s last action with the device. Bubble can be integrated into an MNO’s analytical customer relationship management system to provide customized offers which are more relevant to individual subscribers and are not perceived as unsolicited messages. Using Bubble, operators are able to deliver ads at a relevant time linked to the customer’s action, thereby boosting the rate of response to promotions. Best Mobility Application: NXP semiconductors with PN65 Secure NFC module The PN65 is a secure NFC module that combines mobile payments and ticketing. The product combines an NFC controller, Secure Element, JavaCard operating system as well as payment and transport applications. The module comes with fully qualified NFC host software and powers the Google Wallet solution.

Best Trusted Internet/ Authentication Application: HID Global with Next Generation Secure Identity Ecosystem HID Global’s Next Generation Secure Identity platform is based on HID’s Trusted Identity Platform and Secure Identity Object model. It introduces technology-independent digital credentials that can be deployed on a variety of devices including smart phones, microprocessor-based cards, contactless smart cards, and USB tokens. Best eTransactions Application: Verifone with PAYware Mobile Enterprise PAYware Mobile Enterprise enables users to create a checkout wherever, whenever. The mobile solution integrates with existing in-store POS systems and works with all forms of electronic payment including magnetic stripe, EMV chip and PIN, NFC-enabled handset and contactless cards. It also incorporates VeriShield Protect card data encryption, as well as 2D bar code scanner to provide retailers with a secure solution for mobile POS and other applications.

SPRING 2012

EMV CAN BE MORE THAN PAYMENTS Will the U.S. see additional apps with high-security cards?

JILL JARACZ, CONTRIBUTING EDITOR, AVISIAN PUBLISHING

It’s finally on the horizon: EMV chip cards are coming to the United States. EMV will give broader security against fraud than a traditional magnetic stripe, but it also opens the door to additional applications that could make the card a multi-purpose tool. Will U.S. issuers take advantage of EMV’s full range of capabilities beyond payment? Because the EMV card is essentially a small computer, it’s capable of doing much more than payments. The chip itself is the equivalent of an IBM PC XT from the 1980s, explains Philippe Benitez, Gemalto’s vice president of marketing for Secure Transactions, North America. “The processor has the same amount of power as an old PC,” says Benitez.This means the chip has the capacity to enable other applications along side its secure payment functions.

THE EARLY DAYS Issuers began adding applications to EMV cards in the late 1990s, with loyalty pro-

SPRING 2012

grams being an early addition. According to a MasterCard case study, Turkey’s Garanti Bank became an early adopter when it launched the Bonus MasterCard multi-branded chip card in 2000. The card combined MasterCard credit with a loyalty

The processor on an EMV card has the same amount of power as an old PC program and public transportation services, all residing on the card’s chip. Garanti established alliances with 5,000 merchants to take part in a single

Ticketing, access, transit and e-purse are just a few examples of applications that can be added to EMV cards loyalty program. At 350,000 acceptance points, merchants track their customer purchasing patterns and cardholders earn cash back rewards. Gemalto assisted in the launch of the card that ultimately increased Garanti’s market share in the country. “The [more] services they provide, the higher the utilization rate and retention rate,” says Benitez.

TRANSIT APPS EMV chip cards can also support transportation applications including fare collection, ticketing and gas station and fleet applications. Visa and Barclays issued the Barclaycard OnePulse card, that includes both credit and transit functionality. Launched in 2007, the card supports both EMV via the contact chip and a Visa payWave feature via the contactless interface. Additionally, the chip’s Oyster application can be used for travel on public transportation in London. In a separate project, MasterCard partnered with the UK’s Manchester United football team for access and loyalty applications. A MasterCard-branded EMV card stores season tickets replacing paper tickets as the means to identify fans, says Benitez. The card also has a PayPass feature that enables contactless payment at bars and stands in the stadium. In September 2011 Colsubsidio, the major compensation fund in Colombia, created the Colsubsidio Multi Service Membership Card. Members can use this card for EMV payments, as well as for additional services including an e-purse application, entrance to recreational parks and access to sport and convention centers.

The card’s contactless interface facilitates access to public transportation services in the city of Bogota. According to Benitez, this multi-application card is also used to distribute social benefits to cardholders, who then withdraw funds or use the card to pay for services at merchants.

EXTRA SECURITY FOR ONLINE BANKING In terms of online banking, EMV chip cards can carry applications for one-time password (OTP) authentication to help combat phishing attacks. This application is in wide use in parts of the world where cardholders commonly use a card in conjunction with an OTP token to access online banking, explains Benitez. The EMV chip enables the issuer to add features to the card. The chip is segregated so that it has the ability to store files in different secure locations to ID the cardholder. This means a number of different apps could be used in conjunction with the EMV chip. “If you don’t want credit card information to be shared with other applications, there’s segregation in the card for that,” says Benitez. When thinking about other possible apps for EMV chip cards, single sign-on (SSO) also carries potential. In 2004 scholars Andreas Pashalidis and Chris J. Mitchell wrote a paper proposing the use of EMV for SSO. In “Using EMV cards for Single SignOn,” published in Euro PKI, the researchers propose a login plan where an EMV card acts as the authentication token. Banks have not yet seized upon this opportunity, explains Mitchell. “As far as I know, banks have not added SSO functionality to their EMV cards.”

CHALLENGES TO ADDING APPS While the possibilities for EMV applications can seem endless, Benitez says there are challenges to adding apps to the card. Because the card will always need to be read by some type of reader, the terminal side may require modifications, says Benitez. Then there is the issue of security. Some applications may not be as secure as others that reside on the same chip. The payment application must be extremely secure, explains Benitez, so you can’t reduce its security when introducing additional applications. Transit or student ID apps such as laundry, copying and building access can be as secure or as insecure as the owner of the application desires. The application can be open with data freely available to everyone … or it can be locked down like the Department of Defense’s Common Access Card, says Benitez. It’s up to the application developer to decide how much security should be applied, but adding security to individual apps can add complexity. Multiple PINs for different applications can be cumbersome for end users. When the application sits alongside a Visa or MasterCard EMV or other payment application, it must be certified by the payment brands, says Benitez. Because EMV is still a few years from being fully rolled out in the U.S., there are still great opportunities for additional applications to be developed. Perhaps these programs from other parts of the world will serve as catalysts to U.S. issuers encouraging the addition of other services to these new payment cards.

SPRING 2012

BANKS MULLING STRONG AUTHENTICATION OPTIONS 2012 could see mass adoption for commercial customers

Jorge Solis would like you to imagine three houses next to one another. One has a small dog bowl outside with the name “Fife,” the next has a regular sized bowl with “Max” on it and the last has a large dog bowl with the name

“Killer” inscribed. Which house will a burglar try to rob?

SPRING 2012

This is the approach that First Midwest Bank is taking to protect its business customers from hackers. They want the “Killer” dog bowl in front, says Solis, senior vice president of security at the Itasca, Ill.-based financial institution.

Customers are very good at what they do but they don’t necessarily take care of their technology First Midwest deployed technology from PhoneFactor to help secure its business customers. Other financial institutions are also adding extra identity security as federal regulators take a closer look at how these organizations are protecting customers. In June the Federal Financial Institutions Examination Council released an update to 2005 guidance recommending a risk-based approach and telling institutions to provide periodic assessments in response to new threats. The supplement stresses the need for performing risk assessments, implementing effective strategies for mitigating identified risks and raising customer awareness of potential risks. But it does not endorse any specific technology. The guidance, however, recognizes the emergence of malware and more sophisticated man-in-the-middle and man-in-the-browser attacks. The attacks can circumvent one-time pass code tokens and the report recommends antimalware software, transaction monitoring, out-of-band authentication and secure USB devices. Starting in January examiners will assess banks under the new guidance. Still there’s some question as to what penalties will be dealt to institutions lacking appropriate security. “I compare the FFIEC guidance to mall cops or the old school British cops that had only clubs yelling ‘stop! Or I’ll yell stop again!’” explains Adam Dolby, eBanking manager for the Americas at Gemalto. “So what if you don’t? What

it could do is add to penalties for other infractions, but nothing is specified. The absence of penalty also underscores what it is: guidance, not regulation – which has penalties spelled out.” Since it’s other government agencies that do the reviews there are possible penalties, says Kevin Bocek, vice president of marketing at IronKey Inc. “The FFIEC doesn’t do the audits, so the ultimate penalty is for an examining body such as the FDIC to issue a cease and desist order for online banking,” he says. “The more likely penalties are more frequent examinations, probing questions and longer exams.”

ALREADY SEEING RESULTS It was 2009 when First Midwest decided to move forward with stronger authentication for its commercial clients, Solis explains. After more than a year of reviewing different technologies the bank decided to go with one-time pass code tokens. But only a couple of weeks after issuance, one provider’s tokens were compromised and the bank opted to go another route. Commercial, high-net worth and municipal clients are using the authentication technology from PhoneFactor to initiate wire transfers or automated clearinghouse transactions. When a transfer or ACH is initiated, the system calls the user at the preregistered phone number and requests their PIN. The unique ID number is entered into the phone, and if confirmed,

The attacks can circumvent onetime pass code tokens and the report recommends anti-malware software, transaction monitoring, out-of-band authentication and secure USB devices.

SPRING 2012

The FBI recommends that businesses dedicate a computer solely for online banking but this is unrealistic for many

the customer is allowed to proceed with the transaction. To register customers, First Midwest worked with PhoneFactor on some communications material, Solis says. But overall the process was fairly simple. “We had more than 500 customers signed up in a couple of weeks,” he adds. And it didn’t take long to see results. A couple of weeks after the deployment a customer was contacted asking for their PIN as a hacker was trying to transfer money out of their account, Solis says. The customer notified the bank and the theft was thwarted. Other banks are also being proactive. Guaranty Bank and Trust Company deployed technology from IronKey to protect its corporate customers, says Mike Justice, senior vice president and manger of operations at the Denverbased financial institution. In 2010 Justice was reading more and more about the various attacks against banks and their customers. In his research it seemed the most common problem was customers with infected computers. “Clients are very good at what they do

SPRING 2012

but they don’t necessarily take care of their technology,” Justice says. Previously the FBI recommended that businesses dedicate a computer solely for online banking, Justice says. This is an ideal situation, but the cost makes it less than realistic for many of Guaranty’s clients. Guaranty started investigating different solutions in 2011 that would protect the browser and prevent man-in-themiddle attacks, Justice says. The bank’s online Web provider was integrating with one-time pass code tokens but Guaranty felt they could provide a more secure option. A cold call from IronKey brought the two together, Justice says. That led to conference calls, demos and finally a rollout. The company provides a USB drive that stores an isolated Web browser used just for online banking. The USB device is essentially a computer used only for online banking as the FBI recommended. Customers plug the keyfob into the computer and a secure Web browser is launched and the bank’s Web site automatically launches. User name and pass-

word are entered and the individual conducts desired transactions. When they’re done the drive is removed from the PC and the session closes. With IronKey’s technology everything is contained on the drive and it’s locked down so viruses and malware can’t attack it and access data. Guaranty has rolled out 400 of the drives since November, Justice says. Depending on the customer the issuance was a different experience. “We have both small mom and pop shops that work out of their home and larger companies with several hundred employees so we had to approach them differently,” Justice explains. The overall message, however, was one of help. “We came to them and said, ‘it’s a nasty world out there and we want to help you protect yourself,’” Justice says. Thus far the feedback has been good, Justice says. There have been come companies that don’t have USB drives on their machines so Ironkey’s software-based solution has been deployed. Guaranty is also looking at possible revenue generating opportunities with

the IronKey devices, Justice says. Since the bank controls the IronKey environment other sites could be added for secure access and the bank could charge for it.

OTHER ADOPTION? While First Midwest and Guaranty have deployed solutions to help protect their commercials customers, they’re in the minority. “In our estimate 10% or less were truly compliant with the latest FFIEC recommendations at the start of 2012,” says Ironkey’s Bocek. It’ll most likely be the second half of 2012 before a large number of banks roll out additional fraud protection systems, Bocek says. “Banks need multiple layers of security,” he explains. “They need secure browsing, out-of-band authentication and enhanced capabilities to analyze and protect from fraud.”

While it may seem like many banks have little Fife-size dog bowls in front now that will change as 2012 progresses and more institutions get bigger and badder dogs to watch the front door.

GEMALTO ROLLS OUT FFIEC PRODUCT Gemalto has taken the traditional USB key used for secure browsing and tweaked it for secure online banking. The Ezio Plug and Sign is aimed at the corporate bank customer to tackle automated clearinghouse and wire transfer fraud. The entire browsing experience is contained on the USB drive so it can’t be infected with malware, says Adam Dolby, Gemalto’s eBanking manager for the Americas. It integrates a smart card secure microprocessor and operating system that is built on Gemalto’s Ezio

technology already used by more than 40 million bank customers worldwide.   The customer plugs the USB device into any computer, and Ezio launches a secure online portal enabling the customer to review, approve and sign a variety of banking transactions.  The user enters a PIN when first logging on to the site and uses that same PIN to transfer funds. The drive itself will blink when a transfer is requested and the customer is required to push a button on the drive as a further authentication mechanism. Other services can also be offered to extend the device’s versatility, including secure email, secure electronic bank account management and secure statement viewing.

MASTERCARD, VISA REVEAL DETAILS ON EMV AND NFC FOR U.S. January was a busy month for Visa USA and MasterCard as both organizations revealed their individual visions for the future of payments. Visa revealed details on the U.S. EMV rollout, which won’t be chip and PIN but instead a new technology that takes advantage of the online infrastructure available in the U.S., according to Stephanie Ericksen, head of Authentication Product Integration at Visa USA. In the U.S. payment transactions are authorized in real time. In other countries this connectivity doesn’t exist which brings up the need for a PIN for further authorization. “At the time EMV was created, the cost and complexity of connecting a merchant POS device to some telecommunication networks was prohibitive. The way around that was to introduce ‘floor limits’ and create a magnetic stripe alternative – EMV chip-and-PIN – as a counter to potential fraud,” writes Ericksen. Going with a yet-to-be-defined ‘onlineonly EMV’ system should make deployment easier and less expensive. MasterCard introduced a road map focused on advancing the U.S. electronic

payments system. The map, which includes the path for migration from magnetic stripe to EMV technology available on chip cards, will serve as the foundation for the next generation of products and services. As payments evolve to include new devices and new channels, such as mobile and eCommerce, the road map takes steps to address how consumers shop, providing them greater security and control in their payment choices and the potential to integrate loyalty programs and offers into the purchasing experience. “We’re moving toward a world beyond plastic, where consumers will shop and pay in a way that best fits their needs and lifestyles with a simple tap, click or touch in-store, online or on a mobile device,” said Chris McWilton, president of U.S. Markets at MasterCard. “Our road map represents a transformational shift in the approach to payments and is not simply about EMV chip-and-PIN. We’re focused on readying the ecosystem to drive future innovation and provide new consumer experiences to enhance the value of electronic payments. ”

Elements of the MasterCard road map include: • Solidify EMV as the foundation for the next generation of payments • Work with acquirers to ensure infrastructure readiness by April 2013 • Encourage greater security and cardholder verification to reduce fraudulent transactions • Provide financial benefits for merchant implementing EMV-compatible terminals • Address all touch points where consumers interact with MasterCard, including ATMs, the physical point-of-sale, online and mobile commerce As issuers evolve their offering and merchants upgrade their terminals, the payments system will become more secure as dynamic data is introduced into the payment transaction. In its road map, MasterCard supports the need for the payments ecosystem to be aligned regarding the implementation of EMV standards in the U.S. The company has indicated it will support current industry timelines to minimize disruption and to maximize investments.

SPRING 2012

IS GOOGLE WALLET SECURE ENOUGH

GINA JORDAN, CONTRIBUTING EDITOR, AVISIAN PUBLISHING

The world of mobile payments took a step forward in September when the Google Wallet was rolled out. The mobile application provides secure storage of payment information and uses near field communication (NFC) to complete a transaction. It takes a simple tap of the phone to make a purchase. The Google Wallet is only available to Sprint customers with Samsung Nexus S 4G or Samsung Galaxy Nexus smart phones. So, the app isn’t exactly spreading like wildfire. Besides being limited to one type of phone in the U.S., questions are being raised about the security of the app. ViaForensics, a digital forensics firm specializing in mobile security, released an analysis of the Google Wallet at the end of 2011. The analysis found that while the Wallet is generally secure, it leaves too much information unencrypted on the phone. ViaForensics reported its findings to Google, and Chief Investigative Officer Andrew Hoog says his team worked with Google for about a week. “There were a number of issues that were indeed fixed and then rolled out. We give them a lot of credit for engaging in that process,” says Hoog. “However, there was still enough information stored on the device that we did not feel that we could give it a passing grade.” The information left behind included the user’s email address, credit card balances, payment due dates, and the last four digits of the card. “If somebody was trying to take

SPRING 2012

over your identity, they could use this information to either pose as you or act like they’re your credit card company and try to get you to release the additional information they need,” says Hoag. Hoog recommends that on the device Google store only the information that is absolutely needed and that any crucial information be PIN encrypted. To use Google Wallet for a transaction an individual enters a PIN to transmit payment data. A potential fraudster, however, could find the data that is left behind on the handset. To this point, Google has not followed the advice to PIN-encrypt that data. “Generally speaking, for a lot of app developers, having a consumer type in a PIN or a password in order to get into the application is an extra step that they really want to avoid. So much about mobile is give me the information fast, make it very easy, don’t get in my way,” says Hoog. Speed and convenience are probably keeping Google from making such changes, says George Peabody, director of Emerging Technologies Advisory Service at Mercator Advisory Group. “A point of sale transaction has got to go through quickly. If it has to establish a link over a wireless connection to some back end service, some cloud based service, how long is that going to take and how would that affect the speed of the transaction for the consumer and for the merchant?” he asks. “The speed of transaction for merchants for a quick service restaurant is really, really important. In that domain, milliseconds matter. Caching data

in a local device has long been a strategy to obviate performance concerns. But if that’s going to be the case, then it has to be stored in such a manner that it’s not in the clear and can’t be compromised.” Hoog thinks the Google Wallet holds plenty of promise for users. They may like having PIN encrypted data in a device they carry all the time. They may prefer to tap their phone instead of fishing for a physical card to swipe. “As a consumer I enjoy using it and look forward to maybe some of these security enhancements being put in place,” says Hoog. “On the flip side, if you say ‘if somebody did get their hands on this information, it would place my identity or my finances at risk,’ then I think you’d decide to wait. I think it’s likely that Google will address some of these issues. All of the payment vendors realize security is going to be very, very important for consumer adoption,” says Hoog. Peabody thinks it will take a lot of work for Google to move beyond the fear factor that potential customers have regarding security. He says Google and mobile operators will have to work in concert to convince skeptical consumers that the Wallet is a secure method of payment. “When people see it being done and the experience is successful, that’s when adoption starts to take off. Unfortunately, there are a lot of barriers to payments being successful right now. I’m concerned about the NFC ecosystem where all the participants are blocking access and not able to work together.” Peabody says NFC is a technology that could benefit everybody in the ecosystem, but consumers don’t yet have a consistent experience between merchants, banks and mobile operators. That, he says, will slow adoption of the Google Wallet. He also thinks the technology itself has a long way to go before it can become widespread. “It’s still very early days. This looks to me like a classic case of technology maturation. The number of people actually able to use Google Wallet is really small … they’ve got to be on Sprint. The number of handsets that are NFC equipped is still very low, in the tens of thousands. So, we’re absolutely in the pilot stage of NFC and mobile-based wallets.” Bottom line for Hoog is that anyone concerned about the type of data stored should probably hold off getting the Google Wallet. “Our goal is to make sure that they have as much information about what is stored and how it’s transmitted. That way they can make their own decision whether the convenience and the value of the application outweighs any perceived security risks,” says Hoog.

GOOGLE DEALING WITH MORE WALLET HACKS Google had to deal with additional attacks to its Wallet application in early February. First, Web security provider Zvelo uncovered a way crack the Google Wallet PIN security feature. Using an app called “Wallet Cracker,” Zvelo was able to expose the PIN of a Google Wallet account without entering a single invalid attempt, thus

gain system-level ‘root’ access to their phone,” said Bedier. “We strongly discourage doing so if you plan to use Google Wallet because the product is not supported on rooted phones. That’s why in most cases, rooting your phone will cause your Google Wallet data to be automatically wiped from the device. A problem was also discovered

bypassing the security feature that locks the wallet following five invalid attempts. The hackers used a brute force attack because the Wallet’s PIN was stored in the application. The attack was only possible on a device that has been “rooted” to enable application to be added. Osama Bedier, Google Wallet and Payments vice president, said that any vulnerabilities to the PIN feature are due to misuse, rather than a flaw in design. “Sometimes users choose to disable important security mechanisms in order to

with the prepaid accounts that Google offers users. An individual who obtained another’s phone could simply clear the data in the app settings, forcing Google Wallet to reset and prompting the user to establish a new PIN. Using the new PIN, the original Google PrePaid card that was linked to the account is once again accessible. Google recognized the weakness and shut down the prepaid system, which was fixed a couple of days later.

SPRING 2012

ID MANAGEMENT FOR CLOUD-BASED APPS As more data leaves the enterprise strong identity lags

In addition to convenience, cloud computing is touted for its money saving capabilities as companies reduce software licensing costs and hardware requirements. Identity management in the cloud isn’t as cut and dry. Standards are emerging to manage identities in the cloud but, until now, it hasn’t been a priority. The auditing and provisioning capabilities that are typical with enterprise-based ID management systems are tough to come by with cloudbased systems. “ID management is the biggest weakness we have right now,” says Tony Busseri, CEO at Route1, a digital security and ID management provider. “People have rushed to embrace a technology that’s great in concept, but they have ignored the ID management.” These issues exist more in the public cloud than the private cloud, Busseri explains. “The public cloud is great in terms of functionality but from a privacy standpoint you don’t know where the information is going,” he says. A private cloud, while more expensive, enables a corporation to put its own security and ID management protocols in place. “With the public cloud, security and identity are treated

SPRING 2012

as a secondary concern,” Busseri says, “or not at all.” And once the data is in the cloud it’s not necessarily possible to get back. “It’s like trying to put toothpaste back in the tube,” Busseri explains. The problem begins when an organization decides to start using a cloud-based application, says Andy Land, vice president of marketing at UnBoundID Corp. The use of a cloud app typically doesn’t begin with IT but out of a business need. “It starts with a business case,” explains Land. “It becomes important but then they don’t want to manage it anymore.” He cites the example of a sales director who finds an app to enable his staff to more easily track of sales leads in the cloud. He has a few of his staff start to use it and they find it is easier than the prior system. The director migrates the entire sales staff to the cloud-based solution, and only after some issue arises does he go to IT and ask them to fix it or manage the system. This doesn’t make IT happy, he notes.

“IT usually controls things and mitigates the risk,” Land says. “When you have these cloud-based apps you don’t know what the risks are or how someone was provisioned.” If an organization is using more than one cloud app, identity management gets more complex, says Darren Platt, founder and CTO at Symplified Inc. Enterprise-based single sign-on systems solved a lot of the problems with employees accessing numerous systems, but cloud-based solutions that handle these same tasks are still emerging. “These were all uses that were solved inside the enterprise but now because

With the public cloud, security and identity have been treated as a secondary concern of the cloud there are new challenges,” Platt adds. “You need a different technology to solve the problems.” Auditing and provisioning are two specific weaknesses with cloud-based identity management. With no central ID repository each application is managed separately and there is no central audit trail to check an employee’s activity, explains Platt. This also leads to issues when an individual leaves a company and has to be de-provisioned. “A sales representative could be given access to engineering drawings to show clients,” Platt says. “He leaves the company and is taken off of the expense and other systems but is still in the engineering one because there’s no central point of control.” Cloud-based single sign-on can be created, says Platt. There are a number of different approaches. One would have vendors deploy an in-house gateway that strings together the different cloud-based sites, apps and authentications.

THE MOBILE AND THE CLOUD The combination of mobile devices and cloud computing can enable individuals to access information anywhere they have an Internet connection. This is good and bad, says Tony Busseri, CEO at Route1. “The mobile computing world will save companies a lot of money by making employees more efficient,” he says. “But we have to put in more time for identity management.” Mobile devices are causing headaches for network administrators. “People believe that data should follow them and they should have access to information wherever they are,” Busseri says. “But much of that information should not leave the firewall.” The best way to use mobile devices and the cloud is to set up an infrastructure where information can be viewed and changed but not removed from the cloud, Busseri says, “so data can’t be pulled on to the device.”

THE CLOUD, THE MOBILE AND PHYSICAL ACCESS CONTROL The cloud and mobile computing may revolutionize the physical access control industry, says Tam Hulusi, senior vice president for Strategic Innovation and Intellectual Property at HID Global. Instead of having a wired physical access control system, a mobile device with its wireless connection could be both the key and the processor. “Instead of a reader going to a panel and a panel going to a computer you would have the phone do it all,” Hulusi says. “Your handset is just as smart as the reader and panel.” With cloud-based physical access control the phone will be the rules engine. When an employee goes to a door several thing will happen. The phone will confirm the location, make sure they have proper authorization to access the area and ensure that they are allowed access at that specific time. All this data will be checked against data stored in the cloud and then the handset will send an encrypted signal to the door for it to open. “Physical access control systems won’t have to be wired,” Hulusi says.

SPRING 2012

The Pentagon’s road to PIV compliance Defense Department rolling out CAC-enabled physical access Enhancing security at the world’s largest flat office building is a project of immense scale, but the Pentagon Force Protection Agency’s Privilege Management Program has the Pentagon on track to become one of the world’s largest PIV implementations. Enhancing security at the world’s largest flat office building is a project of immense scale, but the Pentagon Force Protection Agency’s Privilege Management Program has the Pentagon on track to become one of the world’s largest PIV implementations. Four-years ago, the Pentagon Force Protection Agency initiated a system to meet HSPD-12 requirements. Because the Defense Department had a longstanding, well-established credential program, there were significant challenges to implementation. The Common Access Card, the Defense Department’s credentials, had been used more for logical access than physical access with magnetic stripe still used for the latter at most locations. “The Department of Defense is always unique in how it implements federal policies,” says Derek Nagel, access control branch chief at the Force Protection Agency. The Force Protection Agency is also underway on the Pentagon Century project, a five-year effort to upgrade the building’s entire perimeter, says Nagel. This project was developed not only in response to the Sept. 11 attacks and other incidents including a March 2010 attack in which a gunman opened fire at the Pentagon’s entrance. Along with pushing out the perimeter of the building, the Force Protection Agency is replacing its older turnstiles with full height models, says Nagel. Even before the Privilege Management Program came about, the Force Protection Agency knew becoming PIV compliant would be a huge undertaking due to the Pentagon’s enormous size. It encompasses 6.7 million square feet and 17.5 miles of corridors. There are 25,000 assigned personnel, more than 1,000 visitors every day and 10,000 parking spaces. The program will also be implemented at the Mark Center, the Pentagon’s new 6100-person office complex in Alexandria, Va., says Nagel. To that end, the Force Protection Agency has undertaken many projects to bring PIV compliance to fruition. It is upgrading the Pentagon Physical Access Control System, which consists of more than 5,000 access control readers and 2,000 access control

SPRING 2012

panels. The old panels didn’t have enough horsepower, says Nagel. “All the panels are being upgraded presently. We are more than a third of the way through,” he says. Likewise, approximately one-third of the readers have been upgraded with the rest scheduled for completion by April. Additionally, the project involves upgrading the access control servers because they are at the end of their lifecycle, says Nagel. The new readers will be multi-technology, replacing the current mag stripe technology. The requirement is that they be able to read mag stripes and contactless simultaneously. “All readers we’re installing now have that ability,” says Nagel, explaining that this will enable a seamless transition to using the Common Access Card for physical access. The Force Protection Agency developed its Privilege Management Program to enable multimodal access. In early 2010, it built a prototype enrollment solution to enroll both fingerprints and iris. The enrollment solution for ID management aims to bind users to the Common Access Card via a secure biometric indicator, says Nagel.

TESTING THE SYSTEM When the Force Protection Agency first built its biometric access control system and tested it in a lab atmosphere, it was capable of processing only six to seven people per minute using card plus iris or fingerprint. This was unacceptable given the amount of traffic that goes through the Pentagon and Mark Center on a daily basis, Nagel explains. Refinements brought that number up to ten to eleven people per minute, says Nagel. This system was delivered in early February 2012 and is being piloted at the Mark Center. The 6,100 employees were enrolled in the system and the Force Protection Agency assigned privileges and access rights. Funding for this phase came from the Biometrics Identity Management Agency, says Nagel.

LESSON LEARNED The failure to enroll is about one percent for both fingerprint and iris, says Nagel. If they had only used a single modality, about 250 people would be unable to use the system, explains Nagel. That led the group to use a multimodal solution that should result in just two or three failures to enroll out of the Pentagon’s 25,000 population. “Out of 6,100 people (at the Mark Center), we haven’t failed to enroll anyone in at least one biometric,” says Nagel. Enrolling people into the system takes two to three minutes, says Nagel. The applicant first goes to a kiosk and presents their card to a contactless reader to ensure the interface is operational. Next the user inserts the card, enters a PIN and gets a PKI validation. The enrollee moves on to face-to-face interaction with an enrollment officer where the officer captures more biographical information and enrolls the biometrics. To use the system for entering the building, the person walks up to the perimeter turnstile, presents the card and has the option to do either a fingerprint or iris scan, says Nagel. To leave the building, the person will just have to use their card. Because the Mark Center was a new building, it was simple to make it PIV compliant because they had to order all new equipment, says Nagel. Phase 2 will use FICAM to automate processes that are manual and tie together disparate systems, like visitor control

and parking management, says Nagel. The privilege management program will act as the middleware. “It binds everything back to the Common Access Card,” says Nagel. Nagel says the Force Protection Agency’s next big project is to roll out the program at the Pentagon. “The Mark Center proved it could be done,” says Nagel. But he explains the Pentagon works on a much larger scale, processing 16,000 to 17,000 employees a day.

THIS PROCESS IS EXPECTED TO START THIS SUMMER The agency still has work to do to incorporate acceptance of PIV credentials from other agencies, says Nagel. “PIV-I we’ve already got,” he adds. One other challenge comes in dealing with the agency’s vendor and concession population. Because these groups are non-CAC/PIV eligible, the Force Protection Agency had to come up with another solution for them. These groups will use a contactless only credential that follows the same model as PIV, says Nagel. The card will have a contactless chip and the same mandatory features as the PIV card, including laser engraving and holograms. But it will only work at perimeter PIV readers, he says. Full implementation of the Pentagon system is expected to take two to three years.

SPRING 2012

TSA ADDS AIRPORTS FOR EXPEDITED TRAVELER PROGRAM Transportation Security Administration’s passenger pre-screening initiative, TSA PreCheck, is expanding to additional airports following the success at seven pilot locations. BIOMETRICS, SMART CARDS FOR PHYSICAL ACCESS AT LOS ANGELES-AREA AIRPORTS Los Angeles World Airports, an agency that oversees Los Angeles International (LAX) , LA/Ontario International and Van Nuys, is upgrading its internal physical security with contactless smart cards and biometric authentication. Unisys will upgrade the access control and alarm monitoring system that is used to identify the 45,000 airport employees, contractors and police. The airports’ existing magnetic stripe card readers will be replaced with a contactless smart card system that will make it more difficult for non-authorized individuals to access secure areas. New readers will be installed at 870 access points in the airports. According to a Unisys spokesperson, the airport opted not to use the PIV-I specification. ImageWare Systems will supply a multi-biometric solution and various identity management and credential issuance components for the three airports.

AOPTIX IRIS RECOGNITION INCREASES GLOBAL REACH WITH SITA Airport information technology provider, SITA will offer AOptix biometric solutions to airports worldwide. With customers in more than 200 countries and 300 airport locations, SITA will offer AOptix InSight iris recognition products for airports seeking to quickly and securely identify passengers at security checkpoints with documents such as biometric-enabled passports. AOptix’s InSight solution authenticates a person‘s identity from 1.5 to 2.5 meters distance and has application in border crossing and airport security.

With more than 336,000 passengers screened to date through TSA PreCheck lanes, this screening concept is designed to enhance security by enabling TSA to focus its efforts on passengers the agency knows less about, while providing expedited screening for travelers who volunteer information prior to flying. Eligible participants include certain frequent flyers from participating airlines as well as members of Customs and Border Protection’s Trusted Traveler programs – Global Entry, SENTRI, and NEXUS. If TSA determines a passenger is eligible for expedited screening following the TSA vetting process, information will be embedded in the bar code of the passenger’s boarding pass. TSA will read the bar code at the security checkpoint and may refer the passenger to a TSA PreCheck lane for expedited screening. This can eliminate the requirement to remove shoes, liquids, laptops, outerwear, and belts. TSA will incorporate random and unpredictable security measures throughout the airport and no individual will be guaranteed expedited screening. As part of the agency’s risk-based security initiative, TSA is testing several other screening initiatives, including initiatives to provide positive ID verification for airline pilots and expanded behavior detection techniques. The program is operating with American Airlines at airports in Dallas, Miami, Las Vegas, Minneapolis and Los Angeles, and with Delta Air Lines at airports in Atlanta, Detroit, Las Vegas, and Minneapolis. US Airways, United Airlines and Alaska Airlines are all opting in new passengers and will begin operations later this year. As part of the initiative’s expansion, TSA PreCheck will be implemented at the following airport locations throughout 2012: Baltimore/Washington (BWI) Boston Logan (BOS) Charlotte Douglas (CLT) Cincinnati/Northern Kentucky (CVG) Denver (DEN) Fort Lauderdale-Hollywood (FLL) George Bush (IAH) Honolulu (HNL) Indianapolis (IND) John F. Kennedy (JFK) LaGuardia (LGA) Lambert-St. Louis (STL) Louis Armstrong New Orleans (MSY) Luis Muñoz Marín (SJU)

airport credentialing update

Newark Liberty (EWR) O’Hare (ORD) Orlando (MCO) Philadelphia (PHL) Phoenix Sky Harbor (PHX) Pittsburgh (PIT) Portland (PDX) Ronald Reagan (DCA) Salt Lake City (SLC) San Francisco (SFO) Seattle-Tacoma (SEA) Tampa (TPA) Ted Stevens Anchorage (ANC) Washington Dulles (IAD)

has lost its focus on transportation security. “ TSA Instead, it has grown into an enormous, inflexible and distracted bureaucracy. ” AIRPORT ACCESS CONTROL AND CREDENTIALING STANDARDS TO GET REWRITE

CONGRESS ADMONISHES TSA FOR FAILED ID PROGRAMS The U.S. House of Representatives released a critical report calling for reform at the Transportation Security Administration, ten years after its creation. “TSA has lost its focus on transportation security. Instead, it has grown into an enormous, inflexible and distracted bureaucracy, more concerned with human resource management and consolidating power,” the report states. TSA credentialing efforts are called out specifically. The report admonishes the TSA’s trusted traveler program efforts. “TSA has tested numerous pilot programs for trusted travelers, including its current PreCheck program, but has failed to develop an expedited screening program that utilizes biometrics to positively identify participants.” The TSA was supposed to have created standards for biometric credentials to be used at airports as well. “These standards are necessary for the Federal Aviation Administration to implement a congressionallydirected requirement for biometric pilot licenses.” The Transportation Worker Identification Credential hasn’t been fully deployed either. “TWIC, which has cost over half-a-billion dollars, has been crippled by latent programmatic weaknesses. TSA still has not deployed TWIC card-readers to many of the Nation‘s ports.”

Lars Suneborn, director of the Government Program Group for Hirsch Electronics, will lead the RTCA (Radio Technical Commission for Aeronautics) Subcommittee SC 224 effort to update the RTCA DO230 Integrated Security System Standard for Airport Access Control. A thirty-year veteran of the identity management and access control industries, Suneborn will lead the subcommittee through a complete overhaul and revision of physical access control system performance standards for the U.S. air transport industry. Last updated in February 2008, these standards provide guidance to airports nationwide on the implementation of airport staff security systems including identity management and credentials, physical access control, intrusion detection and video surveillance. The official standards advisory council will meet several times over the next 16 months. Along with the committee’s security industry experts, key personnel from FAA, TSA, AAAE, ACC, ACI, DHS and additional industry-associated individuals will be invited to attend and observe.

OLYMPIC VIPS TO GET FAST-TRACKED AISLE FOR IMMIGRATION AT HEATHROW The 25,000 VIPs – including athletes, coaches and officials – arriving for the summer Olympics in London will have a dedicated passport lane at Heathrow International Airport. The UK Border Agency, however, is worried what the dedicated lane will mean for non-VIP travelers arriving from outside the European Union as they already deal with up to two-hour waits during peak travel times. Prior to entering the UK, VIPs will have the option to register their information, fingerprints and a photograph. If they do not register ahead of time, however, a border agent will have to collect the information upon entry to check the traveler against terrorist and criminal watch-lists. Despite the creation of the dedicated lanes, UK Border Agency documents point to a fear of non-VIP passengers being unduly delayed due to extra border agents being pulled to assist back-ups in the VIP lane. Officials from Heathrow acknowledge that dealing with the unusually high numbers of travelers – in conjunction with strange baggage such as canoes and vault poles in an environment – will present a great challenge. Nevertheless officials maintain that the airport is up to the task.

EXPERT PANEL What’s in a credential? COLIN SOUTAR, DIRECTOR OF IDENTITY AND PRIVACY ASSURANCE, CSC

In the past, the term “credential” was used solely to refer to a dedicated physical entity that intertwined an individual’s identity with a specific entitlement, for example a passport or drivers license. We’ve all witnessed the progression over the last decade or so, however, towards trusted identities that are separated out and used to access many different entitlements. Such trusted identities are typically manifested either as a secured version of the physical credential – the smart card – or as an online digital “persona.” To a degree, these techniques traditionally supported either end of the levels of authentication range. However, the definition and certification of trust frameworks and the desire of users to use their own smart phones to access online and physical services has led to a much broader range of form factors that are being considered to support trusted identities. We believe that this trend will continue throughout 2012 and that the evolution of form factors will re-shape what we have traditionally defined as a “credential.” In support of this, trust frameworks are helping to drive a clearer separation of the functions of identity proofing, identifier authentication and authorization. This provides a structure that enables

SPRING 2012

various identity providers to supply certified components of identity proofing or identifier authentication, as referenced in the recently-updated version of NIST Electronic Authentication Guideline. In addition, trust frameworks also enable service providers to “consume” a range of certified digital identities to support their required degree of identity assurance - in accordance with the assessed risk level. In this light, a PIV card is underpinned by the identity proofing provided by the NACI process, along with the authentication techniques specified in FIPS 201-1, up to and including biometric authentication. This combination of strong identifier authentication, and well-defined identity proofing process, supports the production of the very high assurance credential for this program. The smart card provides the secure credential to bind together a user’s identifier with their “proofed” identity. Thus, it is clear that the three salient attributes of the PIV card are: the underlying identity proofing process; the use of strong authentication; and the secure binding inside the smart card of the user and their identifier by which they are known. The projection of these three factors, along with implicit cryptographic data protection and transport mechanisms, onto many diverse

form factors such as smart phones, will enable users to access services using a broad variety of authentication mechanisms, in some cases using derived credentials. Indeed, as the global use of smart phones in personal, corporate, citizen and defense environments expands, it is critical to focus on these attributes to ensure that they are certified to fulfill a specified degree of identity assurance, rather than on the particular form factor used. This will enable users and service providers alike to use or accept, respectively, a wide range of user credentials, and will narrow the gap in terms of the levels of authentication that the various form factors can support. We envisage that 2012 will see this continued certification of identity components and, therefore, users will be able to interact with service providers in a variety of ways. This will improve user convenience, by providing the ability to use already-available devices such as smart phones, in some cases with built-in biometric authentication capability. By the end of the year, this combination of strong authentication, along with the appropriate identity proofing, will allow such devices to be used in high assurance environments, and thereby serve as trusted credentials.

Fall 2011

Winter 2010

Winter 2011

Fall 2010

Summer 2009

Spring 2011

Regarding ID Magazine – a survey of identiﬁcation technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews Regarding ID Magazine – a survey of identification tecÚology • SecureIDNews • ContactlessNews CR80News RFIDNews Regarding ID•Magazine – a •survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews Regarding ID Magazine – a survey of identiﬁcation technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

ID AS A SERVICE

Biometrics FOR PHYSICAL ACCESS CONTROL Match-on-card, spoofing, gait and more

Outsourcing identity and credentialing matures

✽ Visa: ‘Yes’ to U.S. chip-and-pin ✽ Phones replace cards for access ✽ New mandate puts PIV to work

HACKING The impact of smart card and security hackers

BIOMETRICS

Making the Case FOR FIRST RESPONDER IDS

• 2010: The year that wasn’t • Health care’s security breach • Germany’s contactless national ID

IDENTITY

TOP TRENDS IN

• Beyond the NFC hype • ePassports spread to half the globe • Voter IDs, Health IDs, Traveler IDs ... reid_fall10.indd 1

Iris at-a-distance takes biometric center stage

• Biometric social security cards • White House pushes online ID • Next generation e-passports

Health care mulls identity options EMV takes aim at U.S.

The

MOBILE AS A CREDENTIAL

Is the handset the ID of the future? • Contactless pickpocketing • INTERPOL’s converged ID • Facial recognition gets real

8/31/10 11:06:28 AM

Own the entire collection Get 1000+ pages of ID insight Receive 70% off for a limited time (just $60)

- Educate new employees - Refresh your industry knowledge - Research for presentations - Review best practices - Gain a competitive edge

For the first time, AVISIAN is offering all back issues of their industry leading re:ID magazine in a packaged set. You receive three year’s worth of top-notch news and insight – 25 issues of re:ID and six issues of CR80News magazine. Plus you get password-protected access to our online library with more than 20,000 articles and 1200 members-only articles.

visit store.avisian.com | select re:ID back issue collection | enter discount code “SAVE70”

SPRING 2012

Subscribe today Regarding ID Magazine features the best editorial insight from across the ID technology landscape.

Sign me up for a 1 year subscription for just $39 Own the entire collection ( 1000 + pages of ID technology ) for $60 Shipping Adrdress

Billing Address ( If different )

Name

Job Title

Address

Company

City / State / Zip

Address

Country

City / State / Zip

Credit Card Information

Country

Credit Card #

CVV

MY ORGANIZATION

Uses ID Technology Sells / Provides ID Technology

I WORK FOR

Financial Industry Educational Institution Government Entity Corporation Other

Fax this form to 850-222-4477 or purchase online at http://store.avisian.com

SPRING 2012

Expiration Date

MY PRIMARY AREA OF INTEREST IS

Physical Security Logical / Computer Security Identification / ID Management Payments Other

EXPERT PANEL Easier, better identity on the horizon JON CALLAS, CTO, ENTRUST

One of the most exciting things that will happen in the next year or two is the confluence of a few major trends. It’s exciting because, together, they promise to make security and identity better and more manageable than it has been in the past. The first of these changes is BYOD (Bring Your Own Device) computing. BYOD is a much better term than “consumerization” and really portrays the meaning that many of us are buying smart phones, tablets or laptops to use on a work network. The tension this creates is predictable. On the one hand, the organization benefits from reduced equipment costs and the end-user is able to select their device of choice. On the other hand, there are management and security problems with these new devices. How to set up, maintain and secure BYOD devices is an issue for IT departments. For many organizations, however, it isn’t as bad as one might think. We’ve been casually setting up employees’ home computers for years – and gritting our teeth as their family used it, too. Yes, there are challenges, but they aren’t completely new. Let’s also be blunt and say we have to do this because the CEO got a new iPad and wants to use email on it. Most BYOD deployments start that way – the IT department balks until someone in the C-suite demands it. Then it gets done.

In 2012 and beyond, we’re going to see more and more different devices coming into the workplace. The days when it was Windows for the desktop and BlackBerry for the road are gone. In fact, you probably are already seeing it. People are using Macs or Linux as their main PC, along with iPhones, iPads, Android phones and tablets, Windows Phone and so on. Just a few weeks ago, Forrester Research said, “It’s time to repeal Prohibition” on Macs in the workplace, but the real changes are going to come from the smart phones and tablets. More people will be doing more work on them. The traditional non-laptop PC is going to be just a piece of office equipment, like the Selectric typewriter of old. The next of these changes is increased security on mobile devices. The mobile operating systems – iOS, Android, Windows Phone, BlackBerry – are designed from the start with security in mind. They are already at least as secure as the traditional desktop OS out of which they grew. Many are more secure. They’re all getting more secure and rapidly so. These operating systems are developed on a one- to two-year schedule, as opposed to the two- to five-year schedule of the desktop OS. They do less, which is part of why they are developed faster. This short development timeline also serves as a security feature because there’s a smaller

attack surface. They are upgraded quicker, which means security improvements come to them faster. Also, since there is not a single OS dominating mobile devices, it makes the bad guys do more work for fewer rewards. In 2012, you’ll see more people rely on their mobile devices more than they rely on their traditional personal computer. The last of these changes is a technology called near field communications, or NFC. NFC is a short-range wireless communications protocol; it is the very same protocol that contactless smart cards use. If you use PayPass or another contactless credit card, that’s NFC. There are relatively few devices with NFC today, but there will be more in 2012. They’re convenient and secure, and what’s not to like when you get both convenience and security? Together, three trends lead to an Internet of Things, where smart phones use NFC to make statements about the physical world. But more importantly, there’s an Internet of Secure Things coming. You will be able to use your smart phone to badge in to work, unlock your PC, start your car or motorcycle (the prototype of that is already working), as well as merely pay for things. It isn’t going to all happen in 2012, but we are likely to look back at 2012 as the year when it took off.

SPRING 2012

EXPERT PANEL An exercise in mobility DAVID WORTHINGTON, PRINCIPLE CONSULTANT FOR PAYMENT AND CHIP TECHNOLOGY AT BELL ID

Most consumers are comfortable with the concept of a mobile phone as a secure, multifunctional device. It is this consumer acceptance, coupled with technological advancement, which make the 2012 market conditions ripe for greater expansion in mobile services. The rich user interface offered by smart phones provides a number of options for device interaction, including full QWERTY keyboards, interactive touch screens and voice recognition systems. The availability of these options increases the scope for the phone’s potential use. Combine these with the number of connectivity options available – near field communication (NFC), Wi-Fi, over the air, Bluetooth – and it quickly becomes apparent that we have only just begun to realise the potential for all manner of consumer services. Success for 2012 will come from effectively securing these services as they emerge.

STANDARDIZATION OF THE TEE By their very nature, phones are not as secure as cards. Yet. The industry is responding to an increase in malware by working to standardise the trusted execution environment (TEE). The TEE is a secure area that resides in the main processor of a mobile device, ensuring that sensitive data is stored, processed and protected in a trusted environment. GlobalPlatform’s work to standardize the TEE will offer greater security to the end user and industry stakeholders, allowing the secure deployment of a plethora of new mobile payment services.

SPRING 2012

CROSS-INDUSTRY COLLABORATION The technology is, however, only one piece of the jigsaw. Another key challenge for 2012 will be for the key stakeholders to establish cross-industry relationships where none have existed previously. Greater collaboration is needed to avoid fragmentation of the marketplace. We will see more alliances forming, between banks and mobile network operators, for example, in order to develop a sustainable mobile ecosystem that will lead to the deployment of payment solutions.

TSM; IN-HOUSE OR OUTSOURCED? More industry players will decide whether to form relationships with a trusted service manager (TSM) or adopt the task themselves. A TSM sits at the heart of the ecosystem and enables the provisioning and management of mobile NFC-based applications for itself and/or third parties. Companies, banks, governments, network operators and other stakeholders will take the decision to either provision their trusted services by managing registration processes and outsourcing the operational provisioning for mobile applications or opt to become TSMs in order to reduce operational and ecosystem complexity.

BIOMETRIC SECURITY In personal identification, 2012 will see the increasing introduction of biometric technology into mobile devices. Fingerprint scanners have been incorporated into some mobile devices – as with laptops – for some time but with an ever-increasing volume of personal and business data being carried in

pockets, tightening access control is vital. Smart phone HD cameras are also increasingly capable of supporting iris scanning. This form of authentication could easily be transferred to mobile devices replacing numeric logins.

INTRODUCTION OF SECURE READER APPLICATIONS There will be increasing use of mobile devices as secure readers for contactless cards to view smart ID, license and entitlement credentials. An implementation case could see embassy workers operating offsite, needing easy and convenient access to details stored on a citizen’s chip-based passport/ID card. This technology will increase convenience greatly enabling faster identification.

LARGE SCALE ROLL OUTS Finally, 2012 will be the year of large-scale mobile NFC service rollouts. We will see increasing use of mobile NFC for transit cards (e.g. Dubai), ID (e.g. Canada) and contactless (EMV) payment worldwide. The technology is in place to make these things a widespread reality; it is now down to the industry players to come together and make it happen. However, without on-going advancement in mobile security such as the standardisation of the TEE, and adoption of commercially viable cooperation models across the industry, it will be difficult to quickly reach a sustainable and interoperable ecosystem. So far, things remain on track for significant sector revenue growth, but maintaining success throughout 2012 will require 10% inspiration and 90% collaboration.

Recently approved FbFÂŽ mobileOne is an open platform enabling development of fingerprint-enabled business applications on Apple iOS devices (iPhone, iPod touch and iPad). The FbF mobileOne Developer Bundle includes a fingerprint biometric attachment for Apple iOS devices and an iOS Library. The FBI has certified that the product meets specifications listed in EBTS Appendix F Mobile ID SAP10 using Personal Identity Verification (PIV) Single Finger Capture Device Specifications of the FBIâ&#x20AC;&#x2122;s Integrated Automated Fingerprint Identification Systems (IAFIS) Image Quality Specifications. To learn more, visit www. fulcrumbiometrics.com or call 210.348.3687 x110.

Ready to explore compliant credentialing for your enterprise? FIPS201.com is the best place to learn about the array of products certified by the US federal government for PIV and PIV-I use. Heralded as the future of standards-based identity systems, PIV-I solutions are launching or being evaluated by corporations, first responder groups, campuses, hospitals and other organizations where security is key and standards-based solutions are embraced. Begin your investigation at FIPS201.com to find the latest project news, access documents and presentations from pioneering organizations, and evaluate products; from cards and readers to biometrics and cryptographic elements.

Recently Approved Products Transparent Card Reader

PIV Card

* Dell External USB Keyboard with Smart Card Reader (part SK-3205) Dell, Inc. * SE LP10 Sargent Manufacturing Company * Lenovo USB Smart Card Keyboard Lenovo * ThinkPad T410 Smart Card Reader Lenovo Japan, Ltd. * ThinkPad T510/W510 Smart Card Reader Lenovo Japan, Ltd. * iCLASS SE R10-F HID Global Corporation * iCLASS SE R15-F HID Global Corporation * iCLASS SE R30-F HID Global Corporation * iCLASS SE R40-F HID Global Corporation * iCLASS SE RK40-F HID Global Corporation * iCLASS SE RP10-F HID Global Corporation

* ID-One PIV (Type A) Large D (version 2.3.2-a) Oberthur Technologies * ID-One PIV (Type A) Standard D Oberthur Technologies

Card Electronic Personalization Device * ActivID CMS for PIV ActivIdentity Single Fingerprint Capture Device * CN3/CN4 Personal Identity Verification (PIV) Reader Edgeline Technologies, LLC

Caching Status Proxy * pivCLASS Validation Server HID Global Corporation Cryptographic Module * PrivateServer Algorithmic Research (ARX) Electromagnetically Opaque Sleeve * RFID-tec 25 Outpac Designs Ltd. Single Fingerprint Capture Device * SecuGen Hamster IV v2 Optical Fingerprint Reader SecuGen Corporation * SecuGen iD-USB SC/PIV v2 Optical Fingerprint Reader SecuGen Corporation

REVIEW GOOGLE AUTHENTICATOR ZACK MARTIN, EDITOR, AVISIAN PUBLISHING

Last year Google enabled one-time pass codes to secure access to its suite of document applications. Use of the additional security wasn’t made mandatory. Rather, it is an option for users wishing to add a second factor of authentication to fend off risks like phishing scams and password compromise. For Google Apps, Premier, Education and Government Editions, administrators now have the ability to secure user logins with a combination of the conventional username and password plus a one-time verification code provided to their mobile phone.

Once a user enrolls they select whether they want to download a dedicated app to generate codes on a smart phone or opt to receive the codes via text message or phone call. Users with smart phones download the Google Authenticator app – available for Android, BlackBerry and iPhone – which can generate verification codes without a network connection. Either way the next time the user signs in to their Google account from any browser or device, they enter their traditional username and password and are then prompted to enter the one-time pass code. For convenience, checking “Remember verification for this computer” will enable 30 days of unfettered access for that specific browser. When I signed up for my Google+ and Google Docs accounts, I decided it was a good time to also test out Authenticator. Instead of getting the OTP from a text or call I chose to download the app.

ENROLLING IN THE SYSTEM WAS INTERESTING.

After launching the app on the smart phone you need to link it to your specific Google account. A QR code appears on your monitor, and the Authenticator app scans it using the phone’s camera.

SPRING 2012

This links the app on your phone to your specific Google account enabling future generation of pass codes specific only to you. At this point Google also provides you with a list of OTPs you can print out and carry with you in a wallet in case you need access and don’t have your mobile. For the most part the app has been simple to use. I login with my user name and password and then another screen prompts me to for my pass code. Activate the app, see how much time I have in the upper left hand corner and then enter the six-digit code. This is my first experience using an OTP and the one thing I’m vigilant of is the time. Friends that have used OTPs for work have sometimes complained about the lag between entering the code and the time it takes for verification. If the code is refreshed before it can be verified on the back end this can lead to user frustration, but I have not experienced this problem with Google Authenticator.

Though it works great on computers, my one gripe is using it to access the Google+ app on my phone. The process is cumbersome. I first get a pass code using the Authenticator app, then launch the Google + app. Next I enter my user name and password and finally enter the pass code. All this must be completed before the pass code expires. I have less than 30 seconds to use my phone’s tiny keyboard to enter all three pieces of information, while remembering the random six-digit code. It would be far easier if I could enter my user name and password in Google +, launch the Authenticator app to get the code, then switch back to Google+ without having to reenter the other data. But because I can’t do this I have barely used the Google+ app on my mobile. Overall, Authenticator is great. It’s getting people comfortable using an extra factor of authentication, something I am confident we will all be using in the future to secure our identities online.

ADMINISTRATORS NOW HAVE THE ABILITY TO SECURE USER LOGINS WITH A COMBINATION OF THE CONVENTIONAL USERNAME AND PASSWORD PLUS A ONE-TIME VERIFICATION CODE PROVIDED TO THEIR MOBILE PHONE