Regarding ID Spring 2015

Page 1

41 A SURVEY OF ID TECHNOLOGY - SPRING 2015 - ISSUE 41

+

EUROPE LEADS GLOBAL PUSH TO eID STEPPING UP SOCIAL MEDIA CREDENTIALS ADVANCED MATERIALS SECURE CARDS DIGITAL ID BILL PASSES VIRGINIA LEGISLATURE


HOW DOES YOUR COMPANY IDENTIFY ITS EMPLOYEES?

By providing ID badges instantly with an Evolis card printer Evolis card printers include modules allowing personal data to be encoded within the card. You can, therefore, use your badges to secure access and strengthen security within your company. Evolis printers together with cardPresso software offer an easy-to-use and powerful system.

www.evolis.com


Make sure every visitor is a welcomed one.

HID Global Secure Visitor Management solutions track your guests and protect your facility. Upgrade from unsecured paper guest books to the robust security of our EasyLobby® Secure Visitor Management solution. With EasyLobby, you can identify who is in your facility and why, control access to secured areas, screen against unwanted guests and more. Just scan each visitor’s ID and print a customized badge in seconds. And it’s scalable, so you’ll get the protection you need as your company grows. Request a free web demo at hidglobal.com/welcomed-cr80 © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved. HID, HID Global, the HID Blue Brick logo, the Chain Design, and EasyLobby are trademarks or registered trademarks of HID Global or its licensor(s)/supplier(s) in the US and other countries and may not be used without permission.



“ I’m starting a new job, finishing my degree and I have a true passion for the arts. I’m proud of my work and the cards in my wallet represent my life.”

— Robert H. Marketing Director Corporate Technologies

Every person in your program has multiple identities, and securing and protecting those identities is no small task. Datacard® ID solutions empower enterprises to protect what’s most important to them in an increasingly connected world with trusted, long-lasting, secure ID cards.

Visit Datacard.com/ReID to learn more by downloading your free ID Solutions Guide.

© 2015 Entrust Datacard Corporation. All rights reserved.

DATACARD GROUP IS NOW ENTRUST DATACARD


CONTENTS

Virginia first state poised to enact digital identity law 62

22 Cover Story: The evolution of AFIS Fingerprints are the oldest biometric, used by law enforcement to solve crimes for more than a century. Modern AFIS provide so much more, incorporating other biometric modalities and extending to an array of applications beyond law enforcement.

6

Editorial: Step-up authentication High-assurance for the masses?

8

ID Shorts News and posts from the web

22

Europe leads global push to eID 52

30

6

Spring 2015

The evolution of biometrics in law enforcement AFIS, NGI, multi-modal all leaving their print 23

AFIS standards still emerging

26

AFIS isn’t in your mobile phone

28

FBI pushes biometric technology center

A history of AFIS


ead

h Print

Retransfer ups the ante for desktop card printers 58

Iowa test drives mobile licenses 44

33 For better cards, consider better materials

36 Step-up authentication

The mix of materials used to create a card will greatly impact its durability and security. Commonly used plastic, PVC, is not the best option for secure IDs. Want to fight counterfeiting and extend card life the way high-security issuers do? Consider advanced materials.

It’s a common refrain: passwords suck and consumers need better authentication techniques. But getting strong digital credentials into the hands of millions is difficult. Step-up authentication provides a promising solution, enabling consumers to build high levels of assurance on top of existing social identities.

33 Card Tech 101: Advanced materials secure IDs Fighting counterfeits, adding durability with composite cards

42

36 Step-up auth adds assurance to social media credentials

44

37

Obama calls to step-up with multi-factor auth

38

FCCX rebrands to Connect.gov Program will enable yahoo, google, paypal IDs on gov sites

40 How to: Adding social login to your site 41

Stats show social login a necessity

56

S.D. school district deploys enterprise-wide access control

58

Kiosks enable license renewal, replacement

Retransfer ups the ante for desktop card printers Quick, cheap and high-quality all within reach

62

Virginia first state poised to enact digital identity law

Making physical access easier, more flexible with IP-based tech

64

OSDP access control spec delivers interoperability Next steps include IP-based communication, new profiles

66

Biometric tech goes mainstream via national TV ads

Elevated authentication in the enterprise How corporations are enabling access to high-security apps Iowa test drives mobile licenses 45

48

52

re:ID national eID series: Europe leads global push to eID 53

Germany opts for contactless eID

55

Estonia goes mobile

Spring 2015

7


ABOUT

EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andrew Hudson, andrew@AVISIAN.com CONTRIBUTING EDITORS Liset Cruz, Autumn Cafiero Giusti, Gina Jordan ART DIRECTOR Ryan Kline ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions. avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2015 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.com

8

Spring 2015

STEP-UP AUTHENTICATION: HIGH-ASSURANCE FOR THE MASSES? ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS

A common refrain: passwords stink and consumers need better forms of authentication. I get a half-dozen emails each week touting the death of passwords but alas, they still exist and will for a long while. The problem with better forms of authentication is vetting consumers so that relying parties have some level of assurance of an identity and then issuing credential that can work with those relying parties. Having covered the smart card and identity markets for more than a decade I also recognize the classic chicken and egg scenario that has plagued the industry. Do we issue a bunch of credentials and get them in circulation before they are accepted anywhere? Or should we get a lot of relying parties on board and then hope people flock to obtain the credential? In the past months there’s been a lot of buzz around the idea of step-up authentication. These types of systems enable an individual to use a credential they already have – Google, Facebook, Twitter, etc. – go through some additional identity vetting and then have a higher level of assurance associated with that login at relying parties that accept it. The identity vetting most commonly used relies on knowledge-based Q&A pulled from the individual’s credit report and public records. After answering the questions correctly the consumer would have a higher level of assurance associated with that login where it’s accepted. Typically the consumer also has the ability to control where the credential will be used and limit the information given up to the relying party. An example of step-up may emerge from what the U.S. government is doing with Connect.gov – formerly its Federal Cloud Credential Exchange. Details haven’t been announced, but it seems this scenario is likely. A college graduate in the Washington area wants to work for the government. He searches USAJobs.gov for opportunities and signs up to receive emails about future openings. Instead of choosing a new user name and password to create an account, he opts to use his Google log in for access to the site.


PERSPECTIVE

Months later he needs to file his federal income tax. He is automatically recognized with the social login from Google, but the IRS.gov site requires a higher identity assurance. He answers a series of knowledge-based authentication questions and is then granted access and allowed to file the return. He has also garnered a higher level of assurance for that Googleissued credential, and it can be used at other sites. For example, if he applies for health care through HealthCare.gov, the stepped-up credential could be used there as well. It is great to have high-assurance credentials in the hands of more consumers, but another important aspect of step up is to require multi-factor authentication when these digital IDs are used. Since many people remain logged in with Google or Facebook throughout the day, typically they wouldn’t be required to enter a user name and password to be recognized by relying parties. But since step up adds assurance to these credentials – which makes them even more dangerous if compromised – there must be greater security. When signing up for an email list, nothing additional would be required. The site would automatically recognize the user if

they’re logged into the chosen identity provider. But to conduct a higher-value transaction, multi-factor would be necessary. The system would recognize the user, but might, for example, require a one-time passcode sent to the mobile phone as an extra security factor. Step-up paired with multi-factor authentication is a strong combination. It’s a feasible way to get high-assurance credentials into the hands of consumers, without a ton of friction or the high cost of issuing hardware tokens. In terms of security it might not be a government-issued PIV card, but for consumers it’s better than what they’re using and it will certainly make it tougher for hackers and fraudsters.

Join us at

It’s fresh. It’s new.

ISC West

Booth 28073

Brilliantly simple end-to-end security. Introducing the next generation in integrated access control, perimeter solutions, and intruder alarms technology with Gallagher’s new range of products. Gallagher’s giving you the ability to go mobile, alarm right at the door, and simplify your security needs. Contact Gallagher North America, TEL: +1 877 560 6308. EMAIL: sales.usa@security.gallagher.co

security.gallagher.co

Spring 2015

9


ID SHORTS

ID SHORTS

HIGHLIGHTS FROM SECUREIDNEWS.COM

GSA TAPS XTEC FOR MANAGED SERVICE OFFICE CONTRACT XTec was awarded a five-year HSPD-12 Shared Service Provider contract by the General Services Administration. The award is to support the GSA Managed Service Office that provides HSPD-12 credential enrollment, issuance, and management for more than 100 federal agencies under the USAccess program. As the first GSA central issuance vendor in 2003, XTec is returning to work with GSA on HSPD-12 credential issuance. The company will supply its Enterprise AuthentX 5 Suite, for card issuance and lifecycle activities. With this award XTec will now manage nearly 80% of all Executive Branch PIV credentials. Under USAccess, XTec will also serve as a foundational component to help agencies unite their logical and physical access control system implementation strategies. In addition to agencies under the USAccess program – such as the Department of Treasury, Department of Energy, Department of the Interior and

10

Spring 2015

Department of Agriculture – XTec also provides HSPD-12 credentialing services for the Department of Homeland Security, Department of State, National Science Foundation, Broadcasting Board of Governors, Smithsonian Institution and Department of Labor.

GOOGLE DEPLOYS FIDO ALLIANCE AUTHENTICATION SPEC Internet giant supporting multiple tokens for two-factor authentication Google is no stranger to multi-factor authentication having launched the Google Authenticator app in 2011. The app enables users to use their smart phone to create a one-time passcode as an additional authenticator for access to Google Drive. The Internet giant announced that its deploying the FIDO Alliance authentication standards and that Google Chrome will support the standards that aim to make it easier to deploy FIDO Universal 2nd Factor authentication. Google will continue to support its app but is also adding support for the


ID SHORTS

CALENDAR

OCT.

SEPTEMBER

JUNE

MAY

APRIL

MARCH

2015

NOV.

Security Key, according to a Google Security Blog post. The Security Key is a physical USB token. Rather than typing a onetime passcode, users insert Security Key into a computer’s USB port and tap it when prompted in Chrome. When individuals sign into the Google Account using Chrome and Security Key, users can be assured that the cryptographic signature cannot be phished. Security Key and Chrome incorporate the open Universal 2nd Factor protocol from the FIDO Alliance, so other web sites with account login systems can get the specification working in Chrome too. Google is also hoping that other browsers will add FIDO support, as well. As more sites and browsers come onboard, security-sensitive users can carry a single Security Key that works everywhere the FIDO specification is supported. To begin using FIDO U2F authentication today, there are FIDO Ready devices, authenticators, open source solutions, and servers available now directly from the following vendors: Duo

Connect ID March 23-25 Walter E. Washington Convention Center Washington, D.C. ISC West April 14-17 Sands Expo Center Las Vegas, Nev. RSA Conference April 20-24 Moscone Center San Francisco, Calif. CARTES SECURE CONNEXIONS AMERICA May 5-7 Walter E. Washington Convention Center Washington, D.C. Cloud Identity Summit June 8-11 Hilton Torrey Pines La Jolla, Calif. Smart Card Alliance Government Conference June 9-10 Walter E. Washington Convention Center Washington, D.C. Global Identity Summit September 15-17 Tampa Convention Center Tampa, Fla. ASIS September 28-October 1 Anaheim Convention Center Anaheim, Calif. Smart Card Alliance NFC Solutions Summit October 28-29 Arizona Grand Resort Phoenix, Ariz. Cartes Secure Connexions November 17-19 Paris-Nord Villepinte Exhibition Centre Paris, France

Spring 2015

11


ID SHORTS

Security, Entersekt, Infineon, NXP, Nok Nok Labs, Plug-up International, ST Microelectronics, Sonavation, StrongAuth, SurePassID and Yubico. Prices for some of the keys ranged from $6 to $50.

NO PASSWORD, NO PROBLEM WITH ZWIPE MASTERCARD The new Zwipe MasterCard lets consumers dump PIN codes and passwords in favor of a contactless payment card featuring an integrated fingerprint sensor. Users put their thumb on a designated area of the card, and then swipe to make a payment. It works using an integrated biometric sensor and Zwipe authentication technology that holds the cardholder’s biometric data directly on the card,

12

Spring 2015

not in an external database. It contains an EMV certified secure element and MasterCard’s contactless application. “The Zwipe MasterCard works just like any other payment card, but the PIN is replaced by a fingerprint authentication,” says Fredrik Gulowsen, Zwipe PR and marketing director. “For merchants and retailers, there is no difference between a standard EMV credit card and a Zwipe MasterCard. They both use the same point-of-sale terminals. They will, however, see shorter lines at checkout as well as potentially greater sales due to increased customer confidence.” Two banks are currently piloting the card. Gulowsen says the enrollment process will differ from bank to bank, and users will eventually be able to enroll online. “This means that banks will be

able to supply even more secure cards, while consumers can forget their PIN codes and forget their passwords,” he says. Zwipe says the fingerprint is processed in less than one second. Another bonus: cardholders can make payments of any amount, unlike other contactless cards on the market, which sometimes have a limit on how much they can spend per transaction.

U.S. TREASURY STILL HAS WORK TO DO FOR HSPD-12 COMPLIANCE It’s been years since PIV credentials were mandated yet some government agencies still don’t have full issuance to employees. The U.S. Treasury Department released an audit stating that 15% of employees haven’t been issued credentials and the agency doesn’t have the system in place for employees to use the credentials. The agency had set a goal for its bureaus to achieve 100% compliance by Fiscal Year 2015, but it’s likely not to happen until FY 2018 and that’s only if funding is made available. “The IRS (a bureau of the Treasury Department) has spent more than $110 million to implement HSPD-12 and has budgeted an additional $19 million for FY 2014. Even so, HSPD-12 project management officials cite the lack of sufficient funding and staffing as a main obstacle to completing full implementation of HSPD-12,” the report states. On the physical access control side the IRS has implemented PIV systems at 130 locations, 21% of facilities. The agency plans to upgrade systems at another 361 facilities at a cost of approximately $123 million and an additional six full-time employees. Some 134 locations will not be upgraded because they have a lower security level, may be consolidated or closed at some future date.


ID SHORTS

THE COMPANY PLANS FOR IT TO BE AVAILABLE ON 30,000 DOORS IN 150 HOTELS AROUND THE GLOBE BY EARLY 2015 ACROSS ALOFT, ELEMENT AND W HOTELS

On the logical access side, only 5% of the workforce uses PIV for access. The agency notes several reasons why more progress hasn’t been made on this front, from a contract with the union, the government shutdown in 2013, lack of solutions and systems that are incompatible with the PIV. The agency is trying to remedy this however, and last April began a project that would implement mandatory use of PIV cards for access to the IRS network for more than 30,000 additional IRS network users. This effort was to bring the total number of network users required to logon with their PIV cards to approximately 35,700 – 38% – by the end of FY 2014. As technological solutions are developed for incompatible technologies, mandatory PIV card logon will be enabled for additional network users.

STARWOOD GOES WITH BLUETOOTH FOR GUEST ACCESS Starwood Preferred Guest members will be able to skip the check-in desk and use SPG Keyless, an application that uses Bluetooth low energy to access their rooms. Rolling out to Aloft, Element and W Hotels around the globe, SPG Keyless makes its debut in 10 hotels in markets including Beijing, Hong Kong, New York, Los Angeles and Qatar. The company plans for it to be available on 30,000 doors in 150 hotels around the globe by early 2015 across Aloft, Element and W hotels. SPG Keyless is available to SPG members who book a hotel room through one of Starwood’s channels – hotel web sites, SPG.com, the SPG app or customer contact centers.

SPG Keyless works when members register their phone through the SPG App and enable push notifications. After booking a reservation at a keyless hotel and approximately 24 hours before arrival, members are invited to opt-in to the keyless option. Guests will receive a push notification noting that they are checked in and the SPG App will update with a room number and Bluetooth key when the room is ready. Upon arrival at the hotel, the guest can completely bypass the front desk and go directly to the room. After ensuring Bluetooth is enabled, the guest opens the SPG App, holds the smartphone to the door lock, waits for the solid green light and enters the room. Starwood tapped the world’s largest lock manufacturer, Assa Abloy, to create the Bluetooth-enabled lock as well as keyless software, which are designed

Spring 2015

13


ID SHORTS

to securely recognize and connect with a guest’s mobile device.

EVERYKEY WRISTBAND REPLACES KEYS AND PASSWORDS Searching for better password protection? Everykey says its Bluetooth-enabled bracelet is all you need to thwart hackers. Instead of providing passwords on devices and social media accounts, the

14

Spring 2015

Everykey wristband automatically does the work when it’s within range of the user’s device. “Say you’re trying to log into your Amazon account,” says Chris Wentz, Everykey CEO. “Everykey will automatically log you in when it’s close to your computer and you visit the Amazon login page.” It can even provide a complex password on any site during user registration. Everykey uses the same AES 128-bit encryption found on websites that accept credit card information. Once the wrist-

band is out of range, security mechanisms are automatically re-enabled. “Only your wristband and the devices it unlocks hold the encryption key,” Wentz says. “Our company doesn’t have access to that encryption key and therefore, we have no way of decrypting your passwords.” The bracelet needs to be charged about once a month. It is water resistant and can be quickly deactivated or disabled if lost or stolen. For the fashion conscious, it comes in a variety of colors.


ID SHORTS

which also allows us to know how much we’re manufacturing before we go into production,” Wentz says. “We’re currently estimated to ship Kickstarter units in March 2015.”

SPRINT OFFERING PING IDENTITY FOR MOBILE ACCESS

In the future, Everykey plans to release a software development kit that would give the wearer immediate access to physically locked items like doors – no keys needed. Everykey was born during an entrepreneurship class project at Case Western Reserve University two years ago. The class professor liked the concept enough to invest in the startup. The company is raising money via a Kickstarter campaign to get the wristband into the market. “Kickstarter allows us to take preorders to fund our first production run,

Ping Identity is supplying cloud-based single sign-on for Sprint business customers that use Google Apps for Work. PingOne is an identity as-a-service solution that delivers secure access for employees on any device and gives IT one dashboard to manage user access for all applications. PingOne supports applications that have standards-based single sign-on and applications with basic password-based logins. “This will enable Sprint customers who collaborate on their devices with Google apps to login with one password and get access to all their apps through the one login,” says Mike Kane, director of Business Development at Ping Identity. Sprint will set up the devices for employees so that all they have to do is use the one login and have access to all their apps and data, Kane says. IT managers will also be able to provision access to the apps and data from one place making it a simpler process. By 2015, research firm IDC predicts that 37% percent of the workforce will be mobile so having access to collaboration tools on mobile devices will be critical to the success of businesses. Sprint’s offer of Google Apps for Work includes an and array of deployment and support services, called Carefree Cloud, to help businesses plan and use the solution across all employees.

It is designed to simplify the implementation and use of Google Apps for Work from end to end.

GOV.UK VERIFY PROMISES A WAY TO USE GOVERNMENT SERVICES SAFELY Residents of the United Kingdom will soon have a new way to prove their identity online when they access government services. It’s called GOV.UK Verify. The government’s digital services team launched a public beta of the program in October after months of private testing. It’s touted as offering protection from ID thieves and those wanting to fraudulently access sensitive data. When the program is ready for full implementation, residents who want to access services will have their identifies verified by certified third parties instead of a government database. “When you want to access a service using GOV.UK Verify for the first time, you’ll be asked to choose from a list of certified companies,” says Janet Hughes, a member of the Government Digital Service team

that designed the program. The certified companies, like Verizon or Experian, are also known as identity providers. “Your chosen certified company will ask you for some information and carry out some checks to establish,

Spring 2015

15


ID SHORTS

Swivel

to a defined level of assurance, that you are who you say you are,” Hughes writes in the government’s Identity Assurance blog. After verification, “your certified company will give you some sign-in credentials that you’ll be able to use to access an increasing range of government services.” Those services include tax credit renewals, change of address, and farming information. “The Government’s aim is that all the services that need identity assurance for individuals will be using GOV.UK Verify by March 2016,” Hughes says. “Between now and then we will gradually add more services and increase our ability to operate at the scale required for the full range of user needs and demand.”

THE DANGERS OF REUSING PASSWORDS More research backs up what we already know about passwords: despite the warn-

16

Spring 2015

ings, we’re still rampantly reusing them across multiple accounts. The habit exposes individuals to identity theft and corporate networks to attack. And the threat is getting worse, according to research conducted on behalf of network security solutions provider Swivel Secure. The study looked at the online security habits of 2,500 working Americans. “This year has seen an all-time high in data breaches, which have left millions of confidential personal details, credit card and account numbers, and corporate systems exposed to theft,” says Fraser Thomas, vice president, international, Swivel Secure. “Yet this seems to have had little to no effect on the security practices of the country’s workforce.” Even so, 62% of respondents say they are concerned about their personal security online. Thomas says it’s time to “put an end to the password epidemic in 2015 by embracing today’s generation of strong online authentication.”

He calls passwords an outdated form of authentication. “Today’s cyber-criminals are well attuned to this problem and have designed hacks to capture all kinds of passwords,” Thomas says. “The bottom line is password reuse is making it easy for hackers to get hold of a horrifying amount of very important confidential information.” Among the study’s findings: One in five working Americans reuses the same username and password across their personal and business accounts. Nearly three-quarters of U.S. business owners keep a written log or have another offline system for recording their passwords. 63% of U.S. business owners reuse the same passwords to log in to different systems. 61% of U.S. business owners are ‘unconcerned’ by the security of their corporate systems. 73% of U.S. full-time workers admit to reusing the same batch of passwords online.


ID SHORTS

33% of U.S. full time workers use less than five different passwords to access between 25 and 50 personal and business sites. Nearly three-quarters of 55-64 year olds are “unconcerned” by the security of their work IT systems, compared with almost half of 25-34 year olds.

ENTRUST DATACARD REVEALS NEW BRAND, PARTNERSHIPS AND PRODUCTS It’s been quite a year for the newly branded Entrust Datacard. The merger of the two companies was announced about a year ago, with the new company and brand being revealed at the 2014 CARTES conference. The company followed that up by also announcing an extension of a partnership with Interpol as well as new product announcements. While some may say it shouldn’t have taken long to come up with the new Entrust Datacard name – a combination of the two companies – there was a lot of thought that went into it, says David Rockvam, vice president for product management, Identity Solutions at Entrust Datacard. “The brands are 20 to 40 years old and there’s a lot of equity in them,” he explains. “It’s almost a slogan and show the combination of the two companies as we look to the future.” Datacard has been in the transaction processing business for many years and the vast majority of payment cards end up being touched by the company in some way, Rockvam says. Entrust’s focus on identity enables the combined company to bring a different perspective to

the market. From issuing payment cards to enrolling citizens into electronic identification programs, the new company can meet the need.` Continuing INTERPOL relationship Entrust Datacard announced the signing of a new five-year partner agreement with INTERPOL. The relationship, which dates back to June 2009, builds on a history of using one credential to cross borders and access secure systems. The INTERPOL eID and ePassport is used to cross borders and access secure INTEPOL systems. To date, more than 95 member countries are acknowledging and accepting the credential at border checkpoints. At the core of this technology, Entrust Datacard provides the PKI, trust infrastructure and authentication solutions to make the credentialing project possible. This operational infrastructure helps support the issuance of ICAO and EU standards-compliant INTERPOL ePassport and eID under the INTERPOL Travel Document initiative. This also includes advanced Extended Access Control-enabled document validation. “Agents get called and might need to be in a different country in 24 hours and they don’t have time to wait for visas and let criminals get away,” says Rockvam. In April 2015, Entrust Datacard and INTERPOL will take part in INTERPOL World, participating on an expert panel focusing on advanced solutions for border management and security.

Enabling mobile security via derived credentials Entrust Datacard customers are moving away from desktop and laptop computers and using tablets and other mobile devices as their primary devices, says Lindsay Kent, vice president marketing of software at Entrust Datacard. The challenge is offering the same type of security on these devices that companies could with computers. “People want to do everything on the tablet that they could on the computer, including accessing enterprise systems outside the firewall,” Kent says. To make the mobile device just as secure as any other system, Entrust Datacard has released the Mobile Smart Credential. These mobile-based identities may be issued, managed, derived and authenticated via the on-premise Entrust IdentityGuard software authentication platform or Entrust IdentityGuard Cloud Services. Using mobile-derived credentials, identities may also be originated from users’ existing vetted smart card or digital IDs. Users would download an app and then teach it where to find the identities, Kent says. They can de derived form existing smart card credentials or loaded over the air. When the solution is deployed, a trusted user or employee owns a digital identity that has endured a vetting process. Enterprises and governments alike may extend their security investment by recreating this digital identity to derive a trusted identity on secured mobile devices. The Entrust Datacard solution complies with government standards, and the solution may be deployed locally at the customer’s premises or via Entrust IdentityGuard Cloud Services, which is secured in the same facility as the existing U.S. Federal Shared Service Provider certification authority.

Spring 2015

17


ID SHORTS

For U.S. government agencies, managing the surge of BYOD demands is particularly challenging. Government agencies must follow and comply with many policies – including FIPS 201 – that shape how employees and IT organizations conduct day-to-day business. The Entrust mobile approach can eliminate the need for government agencies to build custom solutions that comply with various regulations and policy. This further extends the Entrust Datacard investment in the U.S. government space, from FIPS 201 PIV credentials to advanced mobile identity solutions that conform to NIST SP 800-157.

GALLAGHER MAKING INROADS INTO FED PHYSICAL ACCESS CONTROL Gallagher started out helping businesses with animal management, farming, wild game and zoos but realized that protecting and managing animals of the four-legged variety could translate to securing facilities for two-legged people, says Brandy Sloan, business development manager for the federal space at Gallagher. The company started in the physical access control space though an acquisition in 1999 and entered the U.S. federal market three-years ago. Gallagher built a 58,000-square-foot facility in Kansas where logistics and administrative tasks are handled. Gallagher has been using public key cryptography in its physical access control products since 1999, Sloan says. At first this was used to make sure rogue devices weren’t being used in the system but Gallagher can now conduct full PKI validation without the need for any third-party hardware. With the exception of a third-party enrollment client, the company manufacturers everything from the controllers, readers and input/ output boards.

18

Spring 2015

A key product for the U.S. market meets the requirements of FIPS 201 and PKI at the door, Sloan says. Using IPbased physical access – rather than the traditional Weigand protocol – Gallagher has shaved 400 milliseconds from the transaction time. This may not seem like much but when an employee is holding a card up to a door waiting for it to open every little but helps, she adds. Gallagher’s products also have highspeed data transfer capabilities of one megabit per second. Its readers receive firmware updates remotely, eliminating the need for an administrator to update each reader with a command card, Sloan explains. The PIV controller also includes intrusion detection and perimeter controls so enterprises don’t need an additional controller. It also handles video monitoring and the ability to read mobile devices and wearables.

The FIDO Alliance is quite a story, from a small start up organization two years ago with half a dozen members to more

tion Framework and Universal 2nd Factor – will enable members to create products and systems that enable strong authentication across a range of products. With the spec released products can go through certification, says Phillip Dunkelberger, CEO at Nok Nok Labs. Nok Nok has a number of products that it will take through the process so they are certified to work with other FIDOready products. While the specification has just been released, Nok Nok Labs wasn’t standing still, Dunkelberger says. The company has 18 pilots in various stages of proof of concept. “These are some big enterprises, we’re talking millions of users,” he adds. Products should start receiving certification around the end of the first quarter of 2015 and large-scale rollouts will begin after that, he says. The specifications outline a new standard for devices, servers and client software, including browsers, browser plugins, and native app subsystems. Any web site or cloud application can interface with a variety of existing and future FIDO-enabled authenticators, ranging from biometrics to hardware tokens, to be used by consumers, enterprises, service

than 150 members including some of the largest Internet and telecommunications companies. The final 1.0 drafts of its first two specifications – Universal Authentica-

providers, governments and organizations of all types. Keeping with the FIDO Alliance mission, both specifications are unencumbered by FIDO member patents. Mem-

FIDO ALLIANCE RELEASES IMPLEMENTATION SPEC


ID SHORTS

bers are free to implement and market solutions around FIDO-enabled strong authentication, and non-members are free to deploy those solutions. As previously announced, current implementations available in the market include those from Alibaba and Samsung as well as Google. While the core 1.0 specifications are final, the FIDO Alliance is nearing completion of extensions that will incorporate Near Field Communications and Bluetooth into the range of FIDO capabilities. Continuing evolution of the specifications based on new requirements and deployments will help ensure alignment of FIDO standards with demands in the consumer devices, online services and enterprise markets.

TRUE KEY ENABLES PASSWORD MANAGEMENT ACROSS MULTIPLE DEVICES Intel Security announced the limited release this week of True Key, a crossplatform consumer application designed to take the frustration out of remembering passwords. The app, introduced at the Consumer Electronics Show, combines password management with multi-factor authentication and can be installed on a phone, tablet or computer. True Key unlocks apps, browsers and devices using attributes unique to the user – like facial features or a fingerprint. “As you navigate to your apps and web sites, True Key remembers your passwords and automatically fills them in for you when you return,” says Mark

Hocking, a vice president with Intel Security. “Access to your True Key app is only available to you once you prove you are you, using things that are unique to you – things like your face or a trusted device you own. Your information syncs to all your devices.” Hocking says True Key’s ability to work across multiple devices makes it unique. The app can be used with Windows PC, Mac, Android, iOS devices and web browsers Chrome and Internet Explorer. Data is encrypted locally with AES-256 and stored on the device. Only the authorized user has access to the data – it’s not parked in a database for anyone else to see, he says. True Key is now available in limited release globally in English. Hocking says the app will be available later this year. In the meantime, you can request

Spring 2015

19


ID SHORTS

an invite and join the waiting list. “We have a freemium model like Dropbox,” Hocking says. “People who sign up for the free subscription will get up to 15 logins stored for free, along with all the other features.” A premium subscription with additional space costs $19.99 a year.

EU PAYMENT SERVICE PROVIDERS FACE DEADLINE FOR TWO-FACTOR Payment service providers in the 28-member European Union are working toward an August deadline to implement two-factor authentication for online payments. The European Banking Authority issued final guidelines in December setting minimum-security requirements for implementation. The guidelines define “strong customer authentication” as two or more elements including something you know, something you possess – phone or token – and something you are, such as a biometric.

20

Spring 2015

“In today’s day and age, ‘something you know’ can most likely be discovered by others,” says Thorston Trapp, CTO at tyntec, a mobile company. “Biometric data is great to identify a person, but has usability problems when it comes to mobile environment and issues related to data protection and privacy – which varies depending on where you are. That’s why phone-based authentication is emerging as the industry standard.” A massive 21% increase in fraud between 2011 and 2012 triggered the Banking Authority directives. The mandate also stemmed from EU-wide minimum requirements for more secure Internet payments and the standardization of online security. Payment service providers will also need to provide data protection and user education. “Third party authentication solutions – like one-time passcode text messages and out-of-band two-factor authentication – meet the security requirements of strong customer authentication and are user friendly, universally accessible, simple to deploy, and cost effective,” Trapp says.

He says it’s hard to know the impact of this move on payments in the US, where cyber security is evolving. But the rising business costs tied to breaches might support the argument for the US to follow the EU’s lead.

FACEBOOK REIGNS FOR SOCIAL LOGINS BUT GOOGLE CLOSING Changes on the horizon for social logins in 2015 Facebook is in the lead with 43% of consumers who use federated logins choosing the social network but Google is closing with 40%, according to research from Janrain. The two largest players in this space will continue to duke it out in 2015 as both are also expected to make some significant changes to their federated identities. The search engine giant gained 6% of total social logins in the fourth quarter of 2014 after a 3% slip between Q2 and Q3. This also represents the largest quarterover-quarter increase in logins across all


ID SHORTS

sites for any of the top identity providers in over two years. Google’s rise can be attributed to its increased ubiquity – it’s a one-stop identity to manage Gmail, Play, Android, YouTube and Google+ accounts – so consumers are now choosing it to manage other accounts as well. Janrain predicts that the numbers will get even tighter in the next few quarters as Facebook migrates to its new app version introducing line-by-line controls and the anonymous login option. The social network also has a renewed focus on consumer data privacy that may help Facebook regain some of the market share it lost this past quarter. There was little other change among the other identity providers in total market share but there were some shifts within some vertical markets. LinkedIn saw a big jump across B2B web sites in

the quarter, increasing their share of total logins from 29% to 35%. It’s likely that that B2B companies are starting to understand the benefit of offering LinkedIn as a social login option, one that includes professional data such as positions held and a verified email address. Consequently, both Facebook and Google lost a 3% share in this space. Consumer brand web sites also witnessed changes this quarter. In an area that arguably serves the largest number of addressable customers, Google’s total share of social logins jumped 7% to 38% in Q4. Facebook’s share decreased 3%, from 52% in Q3, to just under half of total logins at 49% in Q4. Janrain predicts that there are some big changes on the horizon for social logins in 2015 and Facebook and Google are expected to make some big changes. Facebook is going to require those that consume user identities to go through an

audit that will require them to explain what information they are collecting and why. Facebook will then have the authority to deny access to information if they deem a company’s rationale insufficient. Google is also preparing to deprecate their Google login on April 20, in favor of a universal Google+ option. If a site is using Google as a social login option, it must migrate to the Google+ identity provider within your application prior to the sunset date to ensure that login doesn’t fail.

25 WORST PASSWORDS OF 2014 Computer users are not using stronger passwords, according to the annual list of the 25 worst passwords from SplashData. In the fourth annual report, compiled from more than 3.3 million leaked pass-

Certification Training for E-PACS About CSEIP • The Certified System Engineer ICAM PACS (CSEIP) Training and Certification Program provides advanced training for systems engineers configuring and testing E-PACS to align with government-wide specifications • This training and certification is recognized and approved by GSA About the Training • Comprehensive three-day program includes expert classroom instruction, hands-on training using commercial E-PACS equipment and testing for competency on course objectives • Course offers instructor-led training on how E-PACS work, how PKI is managed, and how PIV/PIV-I credentials interface with security systems • Individual test workstations using commercial E-PACS hardware and software provides hand-on exercises for configuration of live PKI-based access control systems • A comprehensive written and practical exam wraps up the program with certificates issued upon successful certification

Who Should Attend? • Commercial security firms looking to sell and install ICAM PACS to GSA managed properties under updated GSA procurement guidelines for vendors and integrators • Physical access control vendors who need to train their employees and resellers about proper steps to configure PKI-based PACS • Government security officials responsible for implementing and operating PACS at their department or agency Meets Federal Requirements and Highest Industry Standards • Certification means that you have passed a rigorous, GSA-approved training program which demonstrates your ability to efficiently and effectively implement PKI and federal ICAM architectures for E-PACs • CSEIPs demonstrate knowledge of the latest security industry standards and meet federal procurement requirements

Learn More Today Visit the CSEIP section of the Smart Card Alliance website for complete training information, Spring 2015 21 prerequisites, exam dates, and a full description of this program; http://www.smartcardalliance.org


ID SHORTS

words during the year, “123456” and “password” continue to hold the top two spots that they have held each year since the first list in 2011. Other passwords in the top 10 include “qwerty,” “dragon,” and “football.” Simple numerical passwords remain common, with nine of the top 25 passwords on the 2014 list comprised of numbers only. Passwords appearing for the first time on SplashData’s list include “696969” and “batman.” “iloveyou” is one of the nine passwords from 2013 to fall off the 2014 list. “Any password using numbers alone should be avoided, especially sequences. As more websites require stronger passwords or combinations of letters and numbers, longer keyboard patterns are becoming common passwords, but they are still not secure,” said Morgan Slain, CEO of SplashData. For example, users should avoid a sequence such as “qwertyuiop,” which is the top row of letters on a standard keyboard, or “1qaz2wsx” which comprises the first two ‘columns’ of numbers and letters on a keyboard. Other tips from a review of this year’s Worst Passwords List include:

22

Spring 2015

Don’t use a favorite sport as “baseball” and “football” are in top 10, and “hockey,” “soccer” and “golfer” are in the top 100. Don’t use a favorite team either, as “yankees,” “eagles,” “steelers,” “rangers,” and “lakers” are all in the top 100. Don’t use your birthday or especially just your birth year – 1989, 1990, 1991, and 1992 are all in the top 100. While baby name books are popular for naming children, don’t use them as sources for picking passwords. Common names such as “michael,” “jennifer,” “thomas,” “jordan,” “hunter,” “michelle,” “charlie,” “andrew,” and “daniel” are all in the top 50. Also in the top 100 are swear words and phrases, hobbies, famous athletes, car brands, and film names. SplashData collaborated with Mark Burnett, online security expert and author of “Perfect Passwords,” on the list. While people are still using bad passwords there is some hope gleamed from the report. “The good news is that it appears that more people are moving away from using these passwords,” Burnett said. “In 2014, the top 25 passwords represented about 2.2% of passwords exposed. While still frightening, that’s the lowest percent-

age of people using the most common passwords I have seen in recent studies.” The official 25 worst passwords of 2014: 123456 (Unchanged from 2013) password (Unchanged) 12345 (Up 17) 12345678 (Down 1) qwerty (Down 1) 1234567890 (Unchanged) 1234 (Up 9) baseball (New) dragon (New) football (New) 1234567 (Down 4) monkey (Up 5) letmein (Up 1) abc123 (Down 9) 111111 (Down 8) mustang (New) access (New) shadow (Unchanged) master (New) michael (New) superman (New) 696969 (New) 123123 (Down 12) batman (New) trustno1 (Down 1)


Easy to Authenticate. Difficult to Replicate.

TESLIN® substrate (pictured left) is the proven global substrate for secure credentials and ID cards.

When credential security and durability are paramount, TESLIN® substrate… • Offers exceptional flexibility to outlast more rigid card materials while protecting and cushioning embedded electronics.

• Features the ability to be customized with embedded security features for program-specific formulations that enhance material tracking and credential authentication. • Locks in printed graphics and forms virtually indestructible bonds with overlay and card body substrates to deliver highly secure card constructions. • Delivers tamper-evident protection by permanently distorting if alteration is attempted. • Prints unparalleled high-definition color images for quick and easy authentication by field agents.

Learn more by visiting Teslin.com/Easy.

© 2015 PPG Industries, Inc. All Rights Reserved. Teslin is a registered trademark of PPG Industries Ohio, Inc.


THE EVOLUTION OF BIOMETRICS IN LAW ENFORCEMENT AFIS, NGI, MULTI-MODAL ALL LEAVING THEIR PRINT ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS

24

Spring 2015


When it comes to solving a crime many factors can play a role. Was there an eyewitness? Was evidence left at the scene? What about latent fingerprint images? Other than names, fingerprints may be the oldest identifier. The Babylonians realized fingerprints were unique and used them for identification more than 3,000 years ago. But only in the last 100 years did the biometric truly become a science used to identify criminals and conduct background checks on individuals working in schools, social work and other potentially sensitive positions. In the past 40 years, fingerprint science has moved from examiners studying inkstained sheets with magnifying glasses to Automated Fingerprint Identification Systems (AFIS), which use computer systems and software to pull up possible matches. This does not remove the human aspect as examiners still compare the actual fingerprint image to the AFIS-selected matches. If the procedural crime drama is to be believed, however, these prints are scanned and run against a single national database with a match returned in seconds. But as with most things on television, the reality is quite different. The majority of AFIS are siloed, such that bordering states and jurisdictions typically can’t even share data. While connectivity has always been an issue with these systems, the technology is evolving. Though AFIS has fingerprint in the acronym, it’s beginning to incorporate much more than just the single biometric modality. Systems are starting to collect facial images, palm prints, irises and even tattoos to assist in identifying criminals. The term AFIS is being used as a catchall for the use of biometrics to identify criminals.

WHAT IS AFIS? AFIS technology uses a combination of fingerprint images and templates to identify an individual from a database of millions, says Robert Horton, senior

director of marketing and communications at MorphoTrak. Fingerprints images are scanned and the minutia points – ridge endings and bifurcations – are translated into templates so they are easier to search in a database. In essence, the template is a numeric representation of key geographic points from a unique fingerprint image.

manually compares the actual fingerprint images identified in the AFIS candidate list. A newer AFIS can make this a much quicker and simpler process by returning more accurate results, Horton says. These newer systems cut down on the time it takes to find matches and can help law enforcement agencies to better allo-

AFIS standards still emerging Automated Fingerprint Identification Systems have been around for 40 years, but standards for these systems didn’t emerge until 1993, says Robert Horton, senior director of marketing and communications at MorphoTrak. The first efforts to standardize AFIS started in 1986, but as with most standards it took time to work though the process. The first standards were “loosely written” so that older system were grandfathered in and didn’t’ have to make changes, Horton explains. Since 1993 the standards have been modified every five years by the National Institute of Standards and Technology. The image-based standard calls for systems to extract minutia points out of an image in order to make a match. But even the standard isn’t perfect and it can be open to interpretation, Horton says. The specification primarily searched fingerprint ridge endings, but it doesn’t specify where a ridge ending begins or ends. This can cause complications when sending prints to the FBI, which had to create translation software so the system can see where ridges begin and end in order to read the fingerprint the same way. Work is underway to solve the issues with these standards and make it easier to transmit and search different AFIS, a step that could lead to greater interoperability between jurisdictions.

Both the actual fingerprint image and the resulting template are retained in separate databases, Horton says. The AFIS searches the templates to find likely matches, but the final comparisons are done with the actual images. When a local jurisdiction sends information to the FBI or another agency, it’s the images that are transmitted. Jurisdictions send images back and forth because different AFIS use proprietary templates and algorithms that can’t be used by competitors. By sharing the actual images, each AFIS can create its own template to use in its specific search. These systems are not intended to return conclusive matches but rather a list of likely candidates. At this point a human examiner

cate resources, Horton explains. Examiners spend less time manually checking prints because it’s more likely that the match will be found in the top few candidates provided by the system.

THE FEDS GO NEXT GEN On the cutting edge of criminal identification will be the FBI’s Next Generation Identification (NGI) system. The system is about three-quarters of the way through its implementation, says Stephen Morris, assistant director of the FBI’s Criminal Justice Information Services Division (CJIS) in Clarksburg, West Virginia. The NGI will replace the Integrated Automated Finger-

Spring 2015

25


THE FBI’S NEXT GENERATION IDENTIFICATION SYSTEM IS DESIGNED WITH CHANGE IN MIND. THIS INCLUDES THE ADDITION OF NEW MODALITIES SUCH AS DNA, IRIS AND FACIAL TECHNOLOGIES print Identification System (IAFIS) that has been in use for about 20 years. “It’s been 10 plus years since we started working on the NGI, recognizing that we would need to upgrade the technology, leverage modern technology, as well as provide some enhancements and some additional service to law enforcement agencies,” says Morris. “The legacy IAFIS system was the FBI’s first step in providing some sort of automated capability for law enforcement agencies to submit fingerprint data, do some comparisons and get responses back. NGI represents the next generation of that.” CJIS maintains the FBI’s criminal history and fingerprint databases. It shares information with 18,000 law enforcement

26

Spring 2015

agencies in the U.S., as well as national and international security agencies. Morris says the NGI program is a major upgrade. “We’ve been able to provide better search algorithms that not only improve accuracy, but also give us a lot more capabilities particularly as it relates to comparing latent fingerprints,” Morris says. “Essentially, it represents better, faster and smarter technology.” The new system is designed with change in mind. One of the big drivers behind the program is recognizing that 20 years from now, the technology will be different. “There’s going to be new modalities of biometrics such as DNA, iris, facial – technologies that aren’t used everyday or are just coming into use,” Morris says. “We wanted to make sure that the system was

scalable and that we could upgrade it and use a plug and play capability.”

PHASES OF NGI ROLLOUT The NGI is being deployed in 12 to 18 month increments, with a feature being added during each new phase. Using an incremental approach enables the FBI to leverage additional technologies and make changes. “It’s an evolving process, not just something that you throw a switch and then it’s done,” Morris says. “On all of these increments, you roll it out into the real world and then make adjustments. Providing a service to 18,000 police departments requires coordination.”


Assured Authentication

Lumidigm® is now HID Biometrics. Sometimes you need more assurance about who is requesting access. Only biometric authentication verifies who is present... and only Lumidigm® multispectral imaging provides the reliability, security and convenience required for your mission-critical application. When it’s important to have greater assurance of who is accessing your assets, choose HID Biometrics.

Your Security. Connected. Visit hidglobal.com/lumidigm to see what we’re all about.


AFIS isn’t in your mobile phone Fingerprint technology has gained a lot of attention the past couple of years as Apple introduced the technology into its iPhone, Samsung placed it into the Galaxy S5 and other mobile manufacturers did the same. But this is not AFIS. AFIS is based around fingerprint images and is used to identify an individual from a large database, via a one-to-many search. It can also use latent images – partial fingerprints often lifted from a crime scene – to identify someone from a larger set of images, says Kris Ranganath, director of technology and solution at NEC Corp. of America. Mobile biometric transactions are for authentication. In this case, the device already knows who should be trying to access it because the owner was previously enrolled. Unlike AFIS, this a one-to-one comparison to authenticate the user, rather than the one-to-many attempt to identify an unknown individual. With the mobile devices as with AFIS, the fingerprint is scanned and translated into a template. A mobile template typically represents less than 100 minutia points from the thousands available on the fingerprint. The points are mapped out, translated into binary code and then stored. The fingerprint scanners on mobiles devices, while accurate, are not as accurate as the systems used by law enforcement, Ranganath says. “In AFIS applications, we take a scanned fingerprint and can tell you who they are by searching millions of records.”

The first increment, deployed in April of 2010, focused on improving the search algorithm. The second increment added additional search capabilities as part of the new RISC – Repository For Individuals of Special Concern. “Officers are now able to carry a small device on their belt that’s not much larger than a cell phone,” Morris says. “When

28

Spring 2015

they encounter an individual that gives them reason to suspect that they’re up to no good, the police officer can ask them to submit a thumbprint on that device.” Within seconds, the device runs a RISC search. Morris figures nearly two million searches have been made against the system since it was deployed in 2011.

The third increment provided law enforcers with better capabilities for searching latent prints and palm prints. “The search algorithms for latent prints are very challenging,” Morris says. “As a result of that increment, we went from a 35 to 40% accuracy rate for searching latent prints to in excess of 80% accuracy.” The FBI also saw a jump in cold cases being solved thanks to the new search algorithm. The program is now in Increment Four. This phase provides additional search capabilities relating to scars, marks, tattoos and some facial recognition. “This is where we’ll start being able to allow law enforcement agencies to submit digital photos that can be searched against criminal mug shots,” Morris says. “So when individuals are arrested and photographed, those photos will be compared against our repository that we have of criminal mug shots.” The search capability is expanding to include civil fingerprints as well. Individuals applying for security and background clearances often provide these. Certain industries – such as law enforcers and caregivers for the elderly – are required by law to submit applicants or new hires for clearances. With this increment of NGI, the agency that submits the prints may request that they be kept for future reference. So if someone who submitted civil fingerprints is arrested in the future, the record could be flagged and the agency notified. “Other increments in the next couple of years will look at the feasibility of iris recognition among other things,” Morris says. “It will allow for a study to be done, but it doesn’t mean that it’s actually going to be incorporated.” The final increments will bring the program full circle, where the FBI will start refreshing some of the technology put in place at the beginning. “A system like IAFIS or NGI requires a constant process to operate and maintain it,” Morris says. “Even the old legacy IAFIS system was upgraded from servers to blades to all number


of different technologies over those years. The same thing will take place for NGI.” The NGI program rollout had an estimated budget of $1.2 billion, and Morris says it is is on schedule and slightly under budget. “It’s reported to be the largest IT development program in the history of the Department of Justice,” he says. “I think we can say it’s been a success so far.”

POLICIES, SILOS LIMIT INTEROPERABILITY The majority of law enforcement agencies connect to the FBI to run fingerprints and in some cases with other local or state systems. But often these systems are not connected with neighboring states, says Robert Horton, senior director of marketing and communications at MorphoTrak. The common misperception is that all criminal fingerprint systems are interconnected and can turn out a match in seconds, explains Horton. But in reality, there is not just one AFIS. The FBI maintains one of the larger systems in the world, but states and local jurisdictions across the country and around the world have their own systems that they use for law enforcement, social services and other matters. Unfortunately, the siloed AFIS do not automatically share data or searches with one and other. There are a couple of issues that prevent searching across various AFIS, Horton explains. First, is the technical challenge that not all AFIS are interoperable. Standards do exist to help the systems interoperate, but unless jurisdictions use the proper, up-to-date specifications the systems won’t work together. The second challenge is around policy, Horton says. Jurisdictions that want to share AFIS data need to have an agreement in place as to what information is shared, how long it is stored and other details. These can be difficult to negotiate so few states have these agreements in place.

‘WIN’ING IN THE WEST There are exceptions. Within the National Capital Region, Washington DC, Northern Virginia and Montgomery County, Md. share information between the individual AFIS. Another large consortium known as the Western Identification Network (WIN) sees eight states not only sharing information but also the cost of AFIS, says Kris Ranganath, director of technology and solution at AFIS provider NEC Corp. of America. Alaska, Oregon, Idaho, Utah, Montana, Washington, Nevada and Wyoming formed WIN in 1989, says Ken Bischoff, CEO at WIN. The previous year, California had deployed an AFIS and these states saw the success and wanted to follow suit. At a meeting of the Western States Attorney Generals, a discussion resulted in the eight states pooling resources and forming WIN, Bischoff says. All eight states now share the cost of the NEC-supplied AFIS and are able to search records for possible suspects. The network has 25 million sets of prints and sends 6,000 transactions a day to the FBI. Each state has its own AFIS server and is linked to WIN. Typically, the state jails have biometric scanners that capture the fingerprints, search the local AFIS and then send the prints up to WIN if a match isn’t found. The last search is the FBI’s system. “A rule of thumb is that 85% of crime scene latent prints hit on your own database,” Bischoff explains. “The ones you don’t have will hit on other databases.” After receiving the images the state police runs the fingerprints through WIN and notifies the local officials if a match is made. If there isn’t a match the images are sent on to the FBI for comparison. “When the prints are good enough to hit or not hit they can get a result back within minutes but if it needs an operator verification it can take a little longer,” says Dawn Peck, manager in the Bureau of Criminal Identification for the Idaho State Police.

THERE IS NOT JUST ONE AFIS. THE FBI MAINTAINS ONE OF THE LARGER SYSTEMS IN THE WORLD, BUT STATES AND LOCAL JURISDICTIONS HAVE THEIR OWN SYSTEMS THAT THEY USE FOR LAW ENFORCEMENT, SOCIAL SERVICES AND OTHER MATTERS

Eighty-five percent of state law enforcement agencies submit fingerprints and latents electronically for searching while the remaining send in ten-print cards with the inked images, she notes. WIN and its member states are also adding other biometric modalities. Idaho has added palm prints to its database and is considering other additions. “We’re already getting hits from the palm print database,” Peck says. WIN operates on the service bureau model, enabling states to benefit from the latest technology without the capital expenditure, Bischoff says. States pay a monthly fee to access the network. Idaho didn’t have an AFIS before joining WIN and it likely would have been awhile before it could have afforded one. “This was the only cost effective way we could acquire the technology,” Peck says. In 1989 the system would have been cost prohibitive and being able to write the technical specifications to procure the correct system would have been difficult, she explains. Even now, the staff to support and maintain the AFIS would be difficult to afford. “We would have to do with so much less if we tried to do it on our own,” she adds. This type of service bureau model is catching on, says Ranganath. “The technology refresh happens automatically and the

Spring 2015

29


FBI pushes biometric technology center The FBI is partnering with the U.S. Department of Defense on a $164-million Biometrics Technology Center in Clarksburg. The 360,000 square foot facility is on track to be operational by fall of 2015. “We have what we call a Biometric Center of Excellence, which is basically our umbrella program where we look at all the biometrics across the universe to see what technology, what applications are out there that we can use,” says Stephen Morris, assistant director of the FBI’s Criminal Justice Information Services Division. The new facility will house research and development for the FBI and DoD, with room for other agencies to park employees as well. “We’re trying to create a task force environment, and hopefully it’ll be one where it not only will harness what Defense and Justice are doing in biometrics, but be the focal point for biometrics in the whole U.S. government,” Morris says. “People tend to focus on the potential abuse of these systems, but I would say just the opposite. They should take comfort in knowing that agencies are leveraging these technologies to rule out false positives,” he says.

jurisdictions are always getting the latest technology without a capital expenditure,” he adds. This enables the addition of other biometric modalities, says Ranganath. Facial recognition and iris are the two that many agencies are considering. “In major cities you see a lot of cameras that can help identify people,” he says. “Also if someone has been arrested we can match a mug shot to an individual.” While cameras can capture facial images and fingers can leave latent prints behind, iris can’t do either, Ranganath says. But agencies are still capturing it as a way to quickly identify criminals if they have been arrested. The other trend in criminal identification is to take picture of tattoos and scars.

AFIS OUTSIDE OF LAW ENFORCEMENT Another feature that NEC offers WIN members is the ability to be notified if someone’s status changes. For example, if an individual who has applied for a gun

30

Spring 2015

permit or a teaching license is arrested, the system could notify the organization that ordered the check. WIN does a great number of regulatory checks in addition to criminal identification, Bischoff says. This is a common AFIS function, as regulators want to make sure that teachers and others who work in schools don’t have criminal backgrounds. States typically collect fingerprints of teachers, social workers and a myriad of other people during background checks, says MorphoTrak’s Horton. The prints are run through the local, state and FBI system to make sure there are not convictions or other problems. But just because an individual has their fingerprints run through the FBI’s system, it doesn’t mean the prints are stored there. “The FBI isn’t keeping everything from the states,” Horton says. “Just because an agency might search the FBI doesn’t mean it’s stored there.” While the history of AFIS is in law enforcement, using it for background checks and other purposes isn’t new, says Horton. In 1995 MorphoTrak did a system for Los

Angeles County for those receiving welfare. “Every welfare recipient was enrolled in order to get their checks and to make sure there weren’t duplicate enrollees,” he explains. The system worked so well that the entire state of California now uses the system. Three other states also have deployed similar systems to reduce welfare fraud, Horton says. The U.S. Department of Homeland Security uses an AFIS to check incoming travelers. Foreign visitors to the country have all 10 fingerprints scanned and run against a watch list. Systems like this have become common around the world, Horton says. Some countries also fingerprint citizens when applying for passports and check those against an AFIS before issuing the travel documents, Horton says. Depending on the country, the fingerprints may be translated into templates and stored on the contactless chip in the passport book.

THE FUTURE OF AFIS The flashing computer monitor to indicate a fingerprint match might be a staple of procedural crime shows, but the reality is quite different. Forty years of AFIS have made law enforcement more efficient. Fingerprints will always play a role when it comes to law enforcement and evidence collection, but an expanded role in travel and other facets of everyday life is rapidly emerging as well. As the modern AFIS enters middle age it’s not standing still. Additional biometric modalities are being added to bolster systems, while better algorithms and matching engines improve accuracy. Continued standardization and more widespread data sharing will help future AFIS track down criminals across jurisdictions.

AVISIAN’s Gina Jordan also contributed to this report.


1-855-796-3386

marketing@securekey.com www.securekey.com

Copyright 2015 SecureKey Technologies Inc.


A HISTORY OF AFIS DOROTHY BULLARD, MANAGER OF MARKETING PUBLICATIONS, MORPHOTRAK

2014 marked the 40th anniversary of Automated Fingerprint Identification Systems (AFIS). In forty short years, fingerprint matching has become a part of everyday life; from law enforcement agencies using fingerprints to solve crimes, to ordinary people using a fingerprint to unlock their smart phones, clock in at work, at the gym, or pay for cafeteria lunches. Keep reading to find out about the history and evolution of fingerprint matching. You’ll also learn how the old adage “it’s not rocket science” doesn’t quite fit when we’re talking about fingerprint science.

FINGERPRINT MATCHING: A SCIENCE THAT IS BOTH YOUNG AND OLD Fingerprint patterns never change and no two fingers are alike. More than three thousand years ago, Babylonians recognized that each person’s fingerprints were unique and could serve as an

32

Spring 2015

identifier. They were used in ancient Babylonia on clay tablets as signatures for business transactions. Fingerprints were also used in China on clay seals more than 1500 years ago. But fingerprint analysis didn’t really become a “science” until the 1800s, with widespread use of fingerprint cards for criminal investigation and identification not becoming a reality until the early 1900s. For more than 100 years now, the ridge formations and patterns on our fingertips have provided the best and most accurate measure of individual personal identities. Since 1924, the FBI has been the country’s central national repository for fingerprints, which arrive by the thousands each day. It was very much a production-line type process in the early days. The prints would be classified via the “Henry” method, a classification system for loops, whorls and arches that was developed in 1896.


FOR MORE THAN 100 YEARS, THE RIDGE FORMATIONS AND PATTERNS ON FINGERTIPS HAVE PROVIDED THE BEST AND MOST ACCURATE MEASURE OF INDIVIDUAL PERSONAL IDENTITIES

In a Henry search, the FBI’s examiners would have to find the proverbial needle in a haystack. An examiner would be led to a room of cabinets, which would lead to a specific cabinet, then to a drawer, and then maybe lead to a set of prints that had a similar classification. Using this manual comparison method, it could take several days to compare a print against perhaps a thousand other sets of likely matches. This made it difficult to solve serious crimes in a timely manner. By the 1960s, the FBI’s fingerprint collection had grown to comprise millions of cards, and their manual Henry system was unmanageable. They knew automation would be the key to speeding up fingerprint matching. The Bureau contracted with the National Institute of Science and Technology – which at the time was called the National Bureau of Standards – to study the feasibility of fingerprint automation. The bureau identified two key issues that automation would have to overcome: Automatically scanning and identifying minutiae, the points of comparison on a fingerprint Automatically comparing and matching lists of minutiae The FBI funded studies to address the challenges of scanning, feature extraction and matching. By 1969 the Bureau was convinced that the task could indeed be automated, and issued a request for proposals, followed by a prototype pilot test. Two systems were built, one by Rockwell Autonetics – now MorphoTrak – and another by Cornell Aeronautical Laboratory. After technical evaluation, the FBI awarded the contract to Rockwell to build five high-speed card-reading systems.

With AFIS, law enforcement agencies were able to solve more crimes, spurring sales of AFIS to additional U.S. and North American agencies. Seeing the success, other vendors soon entered the picture. Among them was Morpho Systèmes, which formed as a start-up company in 1982. Today there are nearly 30 fingerprint technology corporations listed as members of the International Biometrics & Identification Association and this list represents only some of the solutions providers in the marketplace. Thanks to both improvements in matching algorithms and in architecture advances that expand the database, AFIS are faster, more accurate and search more data than ever before. To illustrate, the first systems were able only to search the ten rolled prints on a fingerprint card. In the 1990s composite systems were able to select the best prints available from multiple arrests of a single individual. In 2000, multi-incident systems added the ability to also search against each individual arrest record.

FINGERPRINT TECHNOLOGY: ALWAYS IMPROVING

FINGERPRINT TECHNOLOGY: SEARCHING ALL PARTS OF THE HAND

The first AFIS required an entire room for the equipment and stored only minutiae because disk technology was too expensive to save the actual images. In the first three years of operation, the FBI converted more than 14 million criminal fingerprint cards to digital electronic format. Improvements were immediately evident. Using the old manual process, in 1974 it could take the FBI 30 to 45 days to process a fingerprint request – a major delay for a law enforcement agency that wanted to know if the person they were holding was wanted for another crime. The new automated process sped the print identification significantly, enabling the new system to run through 100,000 sets in just 30 minutes.

Another way that accuracy has increased is in the ability to search all parts of the hand. Because 30% of prints found at a typical crime scene are of the palm, adding palms was a key AFIS improvement. This addition became a reality in 2000, and a study by the FBI found that the practice increased the latent hit rate by 10% to 12%. The final evolution in AFIS searching is the ability to search all areas of the hand. This is known variously as the “Major Case Prints”, the “Supplemental Images” or the “Entire Joint Image.” The image below depicts the six cards that make up a Major Case Print record, in which you can see the areas of

Spring 2015

33


the hand it captures, compared to the ten rolled prints that were searched on the original ten-print card. The FBI implemented palm print and supplemental print search capabilities as part of its Next Generation Identification (NGI) rollout. Currently in Increment 4 of its implementation, NGI has brought increased crime-solving capabilities to law enforcement in the United States.

THE EVOLUTION OF AFIS VENDORS And what of the “rocket science” connection to fingerprint science? It still exists. Avionics manufacturer Sagem acquired AFIS provider Morpho Systèmes in 1993 and the company became known as Sagem Morpho, headquartered in France. In 2005 Sagem merged with Snecma, a manufacturer of aircraft and rocket engines, to create the Safran Group. Rockwell spun off their Printrak division – which had built the original system for the FBI – as a separate company in the 1980s. It was acquired by Motorola, developer of the Iridium satellite network, in 2000. In 2009, Sagem Morpho and Motorola Printrak merged into a single company, becoming MorphoTrak. Both legacy companies are now part of aerospace company, Safran.

FINGERPRINT TECHNOLOGY IN THE FUTURE Although Sagem Morpho won the FBI contract away from Printrak in 1999, the two former rivals are now a single company. Morpho continues to provide the matchers for the FBI’s new NGI system, which houses 120 million ten-print fingerprint records and performs more than 10,000 latent searches per month. From this legacy system in the 1970s, today Morpho has captured more than 3 billion fingerprints, and the company’s products are used by more than 450 government agencies in over 100 countries.

WIDESPREAD USE OF FINGERPRINT CARDS FOR CRIMINAL INVESTIGATION AND IDENTIFICATION BECAME WIDESPREAD IN THE EARLY 1900S

Morpho has been involved with AFIS from the start and continues to provide the matchers for the FBI’s new system. From this legacy system in the 1970s, Morpho has now captured more than 3 billion fingerprints, and the company’s products are used by more than 450 government agencies in over 100 countries.

34

Spring 2015


CARD TECH 101:

ADVANCED MATERIALS SECURE IDS FIGHTING COUNTERFEITS, ADDING DURABILITY WITH COMPOSITE CARDS ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS

Identity can be asserted in many different ways. Tapping a card for access or inserting it into a reader to encrypt an email are just a couple examples. But still the most common way an individual asserts an identity is by handing an identity document to someone for visual inspection. The inspector compares the person to the picture on the card, verifies other data and then makes a determination. Even in this overly electronic world, the vast majority of identity documents are visually scanned before access is granted. Whether going through security at the airport, verifying age at a bar or visiting an office building, it’s likely that an ID will be inspected. The problem is that visual inspection only works if the ID document can be trusted. If cards can be readily counterfeited, the system breaks down rapidly. And as the volume of fake driver licenses and identity documents shipped in from overseas, made in garages or dorm rooms increases, steps need to be taken to thwart counterfeiters. This means issuers need to take steps to ensure that their documents are counterfeit resistant. The materials that make up the

card, its construction and personalization should all be carefully evaluated and selected to maximize security and durability. High-security issuers are already recognizing the need and securing their card construction and materials, but other issuers need to take notice. Experts agree the threat will only continue to rise and broaden in the coming years.

BUILDING A PLASTIC CARD Many assume the standard CR80-sized plastic card is a single piece of plastic die cut from a large sheet, but the truth is a bit different, says Pierre Scaglia, global segment manager for Secure Credentials at PPG Industries. A typical card includes multiple layers of white plastic made from polyvinyl chloride (PVC) with a clear PVC layer on top. The clear layer contains the variable information, such as photo and demographic information. The card can also include an overlay or laminate layer with a security element such as a hologram that is added during the personalization process. If the card includes electronics – such as a contactless chip and antenna array –

those are sealed in a sheet of plastic and placed in between the PVC core layers, Scaglia explains.

COMMON CARDS, COMMONLY COUNTERFEITED “This basic PVC card offers fairly low levels of security,” he says. This alludes to the fact that it can be easily and inexpensively counterfeited. PVC cards are everywhere, likely due to their extremely low cost. They are personalized using readily available desktop printers. These printers as well as the PVC cards and printer ribbons are available online from countless resellers and auction sites. This makes them great for fast, convenient and low cost ID creation. But it also makes them extremely susceptible to fraud.

COMPOSITE MATERIALS TURN THE TIDE ON FRAUD Instead of constructing cards with layers of PVC, composite cards layer different materials to add advanced features and combat counterfeiters. Composites are the

Spring 2015

35


ISSUERS ARE SELECTING CARD MATERIALS THAT CAN ENABLE MULTIPLE WAYS OF PERSONALIZING. LASER ENGRAVING, LASER ABLATION AND VARIABLE ULTRA VIOLET IN DIFFERENT COLORS ARE ALL METHODS THAT INCREASE THE DIFFICULTY OF COUNTERFEITING go to options in the high-security identity document market. One common composite is a Teslin core with two polyester overlays, Scaglia says. Teslin is a substrate material, manufactured by PPG Industries, which is placed in the core of a card and then personalized with photos and other information. The Teslin substrate absorbs the printing and lamination materials making it resistant to de-lamination and altering. It also increases the durability of the card and adds cushion to better protect chips, antennae and other embedded electronics. Teslin also enables the issuer to embed other security elements into substrates of the card, Scaglia explains. “There are a range of Teslin substrates that incorporate different security features such as ultra violet or forensic features,” he adds. The Teslin core is typically surrounded by polyester overlays, which protect the card. The three sections are bonded together using a thermal adhesive, Scaglia explains. “The advantages of this construction are that you secure the information into the substrate and once it’s there it can’t be altered,” he adds. This type of card also has far greater durability than a typical PVC card. A bend test of durability found that the composite card will last 300,000 bend cycles, whereas a PVC card lasts between 16,000 and 20,000, Scaglia says.

DRIVER LICENSES NATIONWIDE GO COMPOSITE MorphoTrust supplies driver license issuance materials and support to 42 states. According to Roland Fournier, senior mar-

36

Spring 2015

keting program manager at the company, states started moving to higher-durability, better security products about seven years ago because of REAL ID, a federal mandate to better secure state driver licenses. “We’re seeing a variety of materials being used, with Teslin and polyester composites representing more than half the cards we issue,” says Fournier. Others use combinations of composite materials including polycarbonate and polyesters. He says only six or seven of their client jurisdictions are still using low-end PVC cards. The combination of materials enables states to attain the durability of a 10-year document and add security features otherwise not possible such as laser engraving.

SELECTING CARD MATERIALS BASED ON ISSUANCE METHODS To figure out which materials and security features work best, the first step is determining if issuance will be handled over the counter or through a central facility. Over-the-counter issuance limits the security options to the time and ability of the desktop card printers. Central issuance gives issuers more options, including laser engraving, Fournier says. “You can use more sophisticated features when issuing from a factory,” he adds. The composite combination of polyester and Teslin lends itself better to machinereadable technologies, Fourneir says. A handful of states still have magnetic stripes on their documents, which can place a strain on the document. In these cases, polyester composites are preferred because

polycarbonate can crack with repeated swiping because the material is stiff. Thus they are not usually used with machinereadable technologies other than bar codes. The type of card material used will determine the printing process as well, Fournier says. With the polyester and Teslin composite cards, the materials come to the central issuance facility in large sheets that will eventually become 12 individual IDs. Personalization is done on the Teslin layer, which is then fused with the polyester and then die cut into individual cards. These composite cards are also well suited to laser engraving, one of the more robust security features available. In the past state driver license issuers have been reluctant to add to the cost of the cards. This has changed in the past few years, as states recognized the need to do more to stymie counterfeiters, Fourneir says. In the past the DMVs were profit centers for states, he notes, so they were incented to keep costs down. “But we have seen more sophisticated card materials being used, as well as a willingness to spend more on securing the card to stay ahead of the counterfeiters,” he explains. MorphoTrust states are spending between 75 cents and $1.10 per card, Fourneir says. States are also making sure they use multiple security features on the credentials in an effort to thwart counterfeiters. “Issuers are selecting card materials that can enable multiple ways of personalizing,” he says. “Laser engraving, laser ablation and variable ultra violet in different colors are all methods of personalization that increase the difficulty of counterfeiting. If a counterfeiter has to master 34


Combining layers to create more secure ID cards Issuers create ID cards by combining multiple thin layers together to form a single plastic sheet. Standard cards have a thickness of 30 mil – a mil is one-thousandth of an inch – and often include five or six different layers. The various layers can be created from the same material – most often polyvinyl chloride (PVC) – but this limits both security and durability. More secure card issuers opt for a mix of materials such as polyester, Teslin and polycarbonate to build a better ID. By using composites of multiple materials the finished product is more flexible and increases the card’s lifespan. The choice of materials also impacts personalization options and can make counterfeiting the IDs far more difficult than with traditional PVC cards.

different personalization techniques, that gets it out of the hands of the everyday fraudster and makes it more expensive,” he explains. Some of the visual security features that issuers regularly use come from ITW Security and Brand Identity Group. The company makes products that work with all types of cards including composites, says Joanne Ogden, global sales manager for the security division at ITW. ITW’s Covid and Fasver products are overlays that increase security and deter fraud. Covid places holographic images on top of the printed elements of the card, while Fasver enables visible and invisible printed elements to be integrated. When a new customer begins to work with ITW the company looks at the equipment the issuer has and security features that work with the existing equipment, Ogden says. Typically Covid is used with PVC materials, while Fasver is ideal with

Teslin, polycarbonate and other composite cards. “We work with a range of products, no one material is prevalent,” she explains. “PVC is the age-old material, but we’re seeing more and more Teslin and polycarbonate.” For many, cost is the biggest detractor to using some of these new materials. Laser engraving can add tens if not hundreds of thousands of dollars in additional cost to a project, Ogden says. “Finished cost of a polycarbonate card can be three times that of a PVC card,” she explains.

A COMPOSITE FUTURE? Still when it comes to security and combatting counterfeiters, it could be money well spent. The only way to make visual inspection work is to ensure the ID documents cannot be easily forged. Card construction, materials and the visual security features they afford are key to this process.

National IDs, driver licenses and other government identification are often the cards using these materials today. Other issuers haven not yet shown significant interest in more secure, non-PVC card materials, Fourneir admits. “We’re not yet seeing widespread adoption of the advanced materials in the corporate space,” he says. But there are signs that this is changing. As U.S. banks add technologies to cards because of the switch to EMV, they are showing more interest to both protect the card and add longevity by increasing durability, Fourneir adds. Other issuers from corporations to educational institutions are feeling the fraud pinch as well, and it is inevitable that the threat will rise. But as education about the countermeasures offered by advanced materials spreads, the cost benefit balance swings in favor of better security.

Spring 2015

37


STEP-UP AUTH ADDS ASSURANCE TO SOCIAL MEDIA CREDENTIALS ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS

There’s a lot of talk about getting rid of passwords and issuing high-assurance identity credentials for accessing information. A major stumbling block in this equation, however, is getting those credentials into the hands of consumers. Prevailing wisdom suggests that asking consumers to go to a physical location to apply for credentials is out of the question, and even if they would, it would be incredibly time consuming and costly. Instead many sites are starting to use step-up authentication. This enables a consumer to use an identity they already have – Google, Facebook, Twitter, etc. – answer some questions and have an increased level of assurance associated with the credential at various relying parties that opt to accept it. The basic idea is to enable customers to do simple things without much of a hassle, but as the risk level goes up so must the assurance of the identity. “Step-up is about offering higher levels of security and low levels of annoyance for users,” says Mary Ruddy, research director at Gartner. “Instead of having the person do lots of work up front you let people come in and do simple things, and then if they want to do something sensitive, ask for more information.”

CASE STUDY: ID.ME ID.me uses step-up authentication to grant higher levels of assurance for its users, says Matt Thompson, COO at the digital credential provider. It’s one of three companies – along with Verizon and Symantec – approved to offer level one through three, non-PKI credentials for use on federal government sites. The company started out verifying benefits for veterans, enabling them to be identified at web sites and receive discounts without having to give up any more data than necessary. Later, they expanded the offering enabling students, teachers and first responders to apply and receive discounts.

38

Spring 2015

Recently, the company opened the credential to anyone. To date, ID.me has issued more than 1 million credentials, and consumers can use it for services from discounted online shopping to accessing secure government web services. “We started by enabling people to prove a specific attribute in exchange for a discount and benefit,” Thompson explains. “Now we’ve expanded the network of where people can use ID.me and it’s not just around Veteran’s Affairs.” A $1.2 million grant from the National Strategy for Trusted Identities in Cyberspace enabled ID.me to open up the site and add the identity assurance element, Thompson says. Members have the option of whether to step up their identity with the site. What the individual wants to do with the credential will dictate the level of assurance, Thompson says. “Making a purchase or verifying you’re a veteran will be different than someone needing a level-three credential for access to a government site,” he adds. Here’s how step-up authentication commonly works. A consumer accessing a site that requires a high-assurance credential first chooses a credential provider. For example, if an ID.me credential is chosen and they don’t already have a credential, they are asked to pick a user name and password. An email is then sent to the user for confirmation. The user clicks on the link to validate the email and is taken to a page where they are prompted

I HOPE THAT AGENCIES LOOK AT WHAT’S BEEN DONE WITH THE NSTIC AND DON’T GO OUT AND DO THEIR OWN THING. THE OBJECTIVE IS INTEROPERABILITY AND PRIVACY, NOT TALLER WALLS AND DEEPER MOATS


Obama calls to step-up with multi-factor auth Last fall, President Barack Obama signed an executive order on cybersecurity that aims to protect consumers from identity theft. It requires federal agencies to issue and accept EMV payment cards and take extra precautions online when protecting citizens’ personal information. The focus of the announcement was the use of EMV, a more secure payment technology. But even more significantly, a short section of the executive order mandates a move to more secure authentication by government agencies. The order calls for government agencies to conduct proper identity vetting before enabling access to personal information and then putting multi-factor authentication in place to secure the access to that data. “This is the government raising the bar,” says Jeremy Grant, Senior Executive Advisor for Identity Management, NIST. “We’re not just going to be letting people in with user names and passwords, and we’re going to make sure they are who they claim to be.” Exactly how this will be done has not yet been revealed. Government agencies were working on a plan for how such a system would rollout and as of press time no further updates were available. The idea behind the executive order is not a small challenge, says Tracy Hulver, chief identity strategist at Verizon Enterprise Solutions. Moving to strong identity vetting and multi-factor authentication throughout government is a huge task. “The challenge is coordinating across all the

agencies and sub-agencies and getting them all to sing off the same sheet music,” he explains. The executive order calls for agencies to implement identity vetting and multi-factor by mid-2016. The lack of standardized processes around these poses problems, Hulver says. “Identity touches everyone,” he says. “Rolling out an identity system isn’t as easy as turning on a new firewall.” It’s likely that agencies will team up and use the same processes and systems. “You’ll log in to one site that might share a credential with other agencies,” Hulver adds. “What should happen is that I sign up for one credential that is used across all government sites, but that’s not going to happen.” Too many agencies with different focuses and the lack of a central entity to move the project forward, will likely mean different systems across government, Hulver explains. At this point there are more questions than answers. “Will there be consistency across the agencies? How will they identity proof citizens? Will vendors who supply the credential get access to information?” Hulver asks. “It’s going to be a big challenge but it has to happen.” There are some who are predicting that there may be one central service that offers both citizen identity proofing and multi-factor authentication. The Federal Cloud Credential Exchange (FCCX) – now Connect.gov – may well be that service. It is set to launch in 2015 and will enable citizens to use existing credentials for access to government sites. The majority of the credentials Connect.gov will accept are level one, self-asserted identities, but there are a handful of credentials that have more assurance behind them, including PIV, PIV-I, Verizon and ID.me. ID.me hopes that agencies create systems to enable the use of the same credentials, says Ryan Fox, chief product officer at the company. “I hope that agencies use the guidance and look at what’s been done with the National Strategy for Trusted Identities in Cyberspace and don’t go out and do their own thing,” he explains. “The objective here is interoperability and privacy enhancing technologies, not taller walls and deeper moats.”

Spring 2015

39


FCCX rebrands to Connect.gov Program will enable yahoo, google, paypal IDs on gov sites The Federal Cloud Credential Exchange (FCCX) is dead, long live Connect.gov. Rebranding FCCX was a no brainer as people weren’t sure how to say FCCX (F-6?), spell it or what it was going to do, says Jennifer Kerber, program manager for Connect.gov at the GSA. “We wanted to change it and went with Connect.gov because it connects users to the government,” Kerber explains. The premise behind Connect.gov is simple – enable individuals to access government web sites using credentials they already have. The GSA is testing the system now and plans to roll out citizen-facing applications throughout the year. “We want to do user experience testing, it comes down to providing a good experience for the consumer,” Kerber says. The GSA also wants to make sure that consumers understand what’s going on when they use the system. While creating a new user account at different sites is a standard practice, it’s not one that people enjoy. Still, people might not understand what’s going on when they’re asked to enter a user name and password from an account they already have. Connect.gov is working with the USDA, IRS, the Centers for Medicaid and Medicare Services, Veteran’s Affairs and others agencies. The system accepts a number of level-one credentials, including Yahoo, PayPal and Google. The GSA also signed contracts with ID.me and Verizon to provide credentials that can be stepped-up to reach level two and level three assurance. The system will also accept government-issued PIV cards. There are endless possibilities for different Connect.gov uses, Kerber explains. “As a citizen, it would be great to have this secure digital credential that I can use for anything I want from paying taxes to getting veteran’s benefits,” she says. “I know that the information is secure and that I only give up the information that I choose.” Agencies benefit because they don’t have to create or maintain an identity management system. Kerber is working with them to find out how they would like to use the system. Eventually, Connect.gov could be the underlying system that all federal agencies use for identity vetting and secure access. The groundwork is already in place for these systems; it’s a matter of making it work across agencies. Some may scoff at using this for access to federal sites only, as many people don’t access these resources very often. But ultimately, it’s a matter of getting people comfortable using these new types of authentication systems.

40

Spring 2015

for more information, name, address, date of birth and other basic demographic data. In order to get the higher assurance credentials the individual must also provide a Social Security number and credit card number. Once that information is verified – and as long as the identity hasn’t been flagged – a series of knowledge-based questions are generated from data in the individual’s credit report. If the knowledge-based questions are answered correctly, the user can then set up multi-factor authentication, Thompson explains. The individual provides a phone number to receive either texts or calls with one-time passwords for use during future transactions. When returning to the site that consumes the newly issued high-assurance credential, the individual enters their user name and password and receives a one-time password for multi-factor authentication. ID.me aims for transparency when consumers are using the credential on other sites as well. When a relying party requests use of the credential a window pops up letting the consumer know exactly what information is being requested. Even ID.me does not know what transactions are being performed with the credential.

STEPPING UP AN AIRLINE WEB SITE Others are also looking to take advantage of using step-up authentication for access to services. Janrain helps companies use social identities on their web sites and has worked with some of its customers to add step-up authentication. The company is working with an airline to use social login to enable a customer to browse articles about travel, access loyalty information and book trips, says Jamie Beckland, vice president of marketing at the company. “There’s a marketing site about vacation and if they want to share that article and add comments they would use a social login,” he explains. “But of they want to book a trip or check a loyalty balance, an additional layer of security is needed.”


This step up could be something as simple as another password that had previously been created, or it could be a one-time passcode delivered to a mobile device or a series of knowledge-based questions, Beckland explains.

MULTI-FACTOR IS A MUST There is a lot of upside to step-up authentication, but it’s not perfect. The process is simpler than visiting an office, providing documentation and receiving a physical token – but it’s not the easy, frictionless experience a lot of people want it to be. “The problem with a strong credential is that it requires more upfront work by the user and they don’t want to do that,” says Tracy Hulver, chief identity strategist at Verizon Enterprise Solutions. “You have the competing factors of ease of use and strong authentication.” Even knowledge-based authentication, a key component to many step-up processes, has its pros and cons. It can be accurate and helpful in identifying consumers remotely, but it can also be difficult, time consuming and fail to identify some people. “If you’re choosing picky enough questions there’s a chance they won’t remember the answer,” Ruddy says. Another idea is to tie step-up authentication to an identity associated with a mobile device, Ruddy says. Consumers who have mobile phone contracts have to undergo a credit check so there is a certain level of stepped-up assurance inherently associated with that device. “If you can tie a person to a specific device – it’s not guaranteed to be in the hands of the right person – but there’s a strong inclination.” Hulver advocates different authentication and assurance levels based on the risk of the transaction. Checking an account balance could be a low-level transaction – not even necessarily requiring a password – but if a consumer wants to pay a bill or transfer money then stronger authentication is necessary. Adaptive authentication technologies could enable step-up authentication in the background without the consumer

even knowing it. Checking an IP address, time of day the transaction is made or the geographic location where it’s performed could all be factors leading to higher levels of identity assurance, Hulver says. “It could also check if your mobile phone is within three-feet of where you’re making the transaction,” he says. “The chance of someone having your phone and knowing your user name and password is not that great.” These are the same types of technologies that are in place by banks and credit cards for fraud alerts and it’s all based on risk. “Risk is key,” says Ruddy. “People are adjusting their risk management systems

and a lot of work has been done to make it more efficient and effective.” These adaptive authentication schemes could also lead to even greater levels of assurance, because they collect more data as time goes on. “If you’re stepping up the authentication for one transaction then it should be stored and used at other relying parties,” Hulver explains. “Eventually over the course of three to six months, a consumer could reach even higher levels as the system learns more about them. Eventually it will be invisible and in the background.”

Please answer the following questions to verify your identity 1. Please select the model year of the vehicle you purchased or leased prior to March 2013. 1985 1986 1987 1988 NONE OF THE ABOVE/DOES NOT APPLY ID.me service steps-up assurance via KBA and multi-factor

2. Which of the following professions do you currently or have previously belonged to? SOCIAL WORKER / COUNSELOR / PSYCHOLOGIST SPEECH PATHOLOGIST / AUDIOLOGIST VETERINARIAN TEACHER / EDUCATOR NONE OF THE ABOVE/DOES NOT APPLY

Confirm your phone number

3. Which of the following is the highest level of education you have completed?

Please enter the 6-digit code sent to you.

HIGH SCHOOL DIPLOMA A confirmation code was sent to your phone SOME COLLEGE number at 555-345-0769. BACHELOR DEGREE

Confirmation code

GRADUATE DEGREE NONE OF THE ABOVE/DOES NOT APPLY

Submit

Submit Answers

Resend confirmation code

Spring 2015

41


HOW TO:

ADDING SOCIAL LOGIN TO YOUR SITE

Social logins are just about de rigueur. Consumers don’t want to create new accounts, so sharing or piggy backing on existing credentials they already use can be a great solution. That is the key to social login, extending a user’s existing social media credential to enable access to other web sites and services. It has obvious attraction for the user, but it has great benefits for the site’s owner as well. It can enable the owner to get better data about customers while avoiding the pitfalls that come with being an identity provider. But how does a web site implement social login? Many sites contract with a third-party provider of social login solutions to ease the integration process. These companies handle the setup and maintenance of the login service to minimize coding and effort on the part of the site’s owner. Using

42

Spring 2015

APIs or add-ons, the site owner need only add the app and configure it to meet specific needs. Companies like Janrain can set up social logins for a site, embed the products in the web site, create the application and handle the protocols and data exchanges. The web site just has to place a piece of code and then Janrain handles the communication, says Marla Hay, senior product manager at Janrain. But what happens behind the scenes? Or what if you want to build it yourself? The specific implementation process varies between social identity provider and protocol. For example, to include a Google login it must be configured using a specific identity protocol. But LinkedIn, Facebook or one of the countless other options may require a separate workflow and even protocol.

Most identity providers use one of three protocols – OpenID, OAuth 2.0 or OpenID Connect – to control the backend functionality. Hay says OAuth is the most common protocol Janrain encounters, although she notes that OpenID Connect has been gaining popularity since it’s ratification last year.

WIDGETS.COM LAUNCHES SOCIAL LOGIN To describe the implementation process, imagine that the company Widgets.com wants to get out of the business of managing its own user name and password based access system for online clients. They decide to move to social login, opting to allow customers to choose between Google, Facebook and LinkedIn for accessing the Widgets.com site.


Stats show social login a necessity For terminology purposes, in this example Widgets.com is the site owner, Google is the identity provider and OAuth 2.0 is the identity protocol. Widgets.com starts by creating an application at the specific identity provider they wish to enable for social login – in this case it will be Google using OAuth 2.0. The application contains key information that Google will need to know about Widgets.com in order to interact during the authorization process. This includes the callback URL, which tells the Google where to redirect the user once the authentication process is complete. It also includes a key and secret, which enables Widgets.com to identify itself to Google during the authentication process. When the consumer arrives at the Widgets.com website to log in, they are redirected to a Google endpoint. At this point the consumer is presented with a list of things Widgets.com would like to access. These are called “scopes” and can include information about the user such as name or email, or actions, like posting a comment to a Google+ circle. The consumer will log in to their Google account and either approve or reject the request to authorize Widgets. com to obtain data or act on their behalf. Some identity providers will enable the consumer to select line-by-line which permissions they wish to grant. Others take an all-or-nothing approach, where the user rejects the authorization altogether if they don’t wish to approve the requested scopes. The scopes available vary between identity providers, depending on the function of the social provider.

77% of consumers prefer social login to traditional registration 88% of consumers have encountered social login before 51% of consumers use social login 64% of consumers who frequently leave sites due to forgotten login information say social login should be offered as a solution 67% of consumers are willing to share some personal information via social login in exchange for a more personalized experience 91% of consumers who use social login are satisfied with the experience

Source: Janrain

Once the consumer authenticates, Google sends the approval, along with an authorization code, back to the callback URL that Widgets.com listed when creating the application. Once Widgets.com has that authorization code, it can make a server-side call to Google to exchange that code for a token. The token enables Widgets.com to retrieve the consumer data or use the permissions that the consumer approved for them. When exchanging the code for a token, Widgets.com will also send the application ID and secret, so Google is assured that the token is sent only to Widgets.com. Now that the Google login has been successfully implemented, Widgets.com team can conduct a similar process for the other identity providers that they wish to enable for social login.

The amount of time and effort involved in implementing social login varies between protocols, but even within a given protocol, the implementation can vary between providers, explains Hay. Social login implementation can take some effort and time – depending on the expertise of the developer – and always requires understanding the particular implementation of the selected identity provider. Whether an organization builds the functionality on its own or contracts with a social login provider, the benefits can be great. Research supports that users are more likely to actually register for a site that supports social login. They are also more likely to return for subsequent logins likely due to the increased ease and convenience.

Spring 2015

43


ELEVATED AUTHENTICATION IN THE ENTERPRISE HOW CORPORATIONS ARE ENABLING ACCESS TO HIGH-SECURITY APPS MARK DIODATI, RESEARCH VICE PRESIDENT, GARTNER

The surge in the use of adaptive authentication has many ramifications for general authentication, but perhaps the most interesting is its impact on elevated authentication. This is where elevated will see its second act. Adaptive authentication leverages behind-the-scenes techniques to raise the assurance level of primary authentication mechanisms without any user interaction, for example checking an IP address, the geo-location on a user’s phone, and so on. But what if the inevitable happens: adaptive authentication becomes so good that it announces itself as the primary authentication mechanism? That’s where elevated authentication enters its second act by enabling enterprises to put in place other authentication mechanisms for access to higher-security information and applications.

they’re needed – when applications with higher assurance levels are accessed. Before it could see broad deployment, elevated authentication required the arrival of Web Access Management systems – think Netegrity Siteminder, now owned by CA Technologies. A Web Access Management policy engine supports multiple authentication methods, and can rank them in order of assurance. The administrator also assigns assurance levels to applications, which enables a scaled approach for authentication in general, particularly elevated authentication. If a user attempts to access a higherassurance application without the right method, the Web Access Management system prompts for re-authentication.

THE FIRST ACT

There are many examples of elevated authentication and it remains a part of the enterprise authentication strategy. Suppose you have an environment where users authenticate with a password to Active Directory at their domain-joined workstation. Active Directory returns Kerberos credentials, which will be used for access to applications. When the user attempts to access a Web Access Management-protected application, the Kerberos credential is presented as proof of authentication. The system issues an HTTP cookie that will provide access to other protected applications. The user can access subsequent lower-assurance applications without re-authentication. But when the

When it comes to authentication, enterprises have always lived on the painful edge of the “security vs. usability” debate. Authentication methods must deliver enough identity assurance to match the application’s requirements. But when enterprises make draconian authentication choices, users will revolt or find a way to bypass the authentication system. Elevated authentication was born from the security vs. usability debate. Rather than treat every application as the same, elevated authentication introduced tougher methods only when

44

Spring 2015

TRADITIONAL ELEVATED AUTHENTICATION EXAMPLE

user attempts access to a Web Access Management-protected application that requires higher-assurance authentication – such as human resources or financial applications – the user is prompted to authenticate with a higher-assurance authentication method, for example a one-time password from a mobile device. After the first elevated authentication, the user can access other higher-assurance applications without re-authentication. If the user’s first authentication to the Web Access Management system is via OTP, then the user may access both high and low assurance applications without reauthentication. In the pursuit of minimizing usability concerns, the elevated authentication method is used only when required. If users access only lower-assurance applications, there is no need to use the elevated – and less usable – authentication method. Elevated authentication can also be tied to specific situations or users. For example, many organizations will force an elevated authentication based upon network awareness, such as if the user is remote. Similarly, elevated authentication may hinge around user privilege, with highly-privileged users forced to elevate.

SHIFTING PASSWORD AUTHENTICATION OFF THE STACK To date, adaptive authentication has been used behind the scenes to improve the assurance level provided by passwords. But adaptive authentication techniques


ELEVATED AUTHENTICATION ENABLES ENTERPRISES TO PUT OTHER AUTHENTICATION MECHANISMS IN PLACE FOR ACCESS TO HIGHER-SECURITY INFORMATION AND APPLICATIONS

are broadening in scope and seeing enhancements via big data techniques. So what’s to stop adaptive authentication from coming out of the shadows to replace passwords for lower assurance applications? In other words, what if identity assurance levels are maintained and usability is improved by replacing password authentication with adaptive authentication? There could be big usability gains as users are granted application access without an obvious authentication process. But it’s by no means the universal response to all of the challenges in authentication. At the end of the day, stronger technologies – like OTP, smart card and mobile – will be required for high-assurance applications.

THE SECOND ACT If adaptive authentication techniques become the replacement for passwords, then elevated authentication will see increased usage ride the coat tails of adaptive authentication. As users will inevitably run into high-assurance ap-

plications, the initial adaptive authentication will not past muster, and users will be forced to elevate. In order to support broad consumer use cases, a selection of elevated authentication methods will be required.

Doing so will improve usability by reducing the number of user authentications and potentially confusing application interactions.

A LITTLE ELEVATION GOES A LONG WAY

One size does not fit all for authentication methods, and this is particularly true when your users are consumers rather than employees. Multiple elevated authentication methods are required to support these users. Adaptive authentication adoption is accelerating – not only for background authentication but moving up the stack to replace primary authentication methods like passwords. When it happens, the use of adaptive authentication as a primary authentication mechanism is likely result in the broader deployment of elevated authentication methods.

By definition, elevated authentication should be used sparingly. Its usage should be less frequent as compared to a primary authentication method; be it something traditional like a password or more cutting-edge like adaptive. After all, if an enterprise frequently pushes users into elevated authentication events, mutiny awaits. In these instances, the enterprise is better off turning the elevated authentication method into the primary method.

THE WRAP UP

Spring 2015

45


IOWA TEST DRIVES MOBILE LICENSES GINA JORDAN, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS

The march toward a paperless tomorrow has made its way to the Iowa Department of Transportation, where officials have been weighing the concept of a digital driver license. The idea is simple. Put the plastic credential in the smart phone al-

46

Spring 2015

ready carried by a majority of residents. But simple ideas are often complex executions. The Iowa DOT has been working on the concept for about a year. MorphoTrust – the company that provides the physical driver license for most states, including Iowa – has been on it far longer. The company says it’s in talks with several states about going digital. Delaware has announced that it will conduct a pilot, but Iowa is the first in America to actually take steps toward implementation. Iowa’s pilot is planned for some time in 2015 involving a small number of mainly Iowa DOT employees who carry state-issued iPhones. For the pilot, the digital license will be presented in the form of a smartphone app. The data is encrypted and stored on the device. Security features on the smartphone protect the information, but additional safety measures are expected to be implemented before the official public launch. “So many people are getting used to using their phone, whether it’s as their boarding pass to get on an airplane or carrying their insurance card,” says Jenny Openshaw, vice president of state and local sales at MorphoTrust. “It’s not a very big stretch to say, ‘every time I have to pull the card out of my wallet, what if I could pull my phone out?’” The digital license will be offered as an option – not a re-

placement for the ID in your wallet – as physical cards will continue to be part of the mix. Once an applicant is vetted and approved for a driver license, the customer may choose to also accept a digital license. Mark Lowe, director of Iowa DOT’s Motor Vehicle Division, is the force behind the digital license pilot. “A lot of folks are talking about whether we will see a time when there will be no physical licenses. My answer has always been that as the devices and adoption rates evolve, that will become more likely,” Lowe says. In Iowa, the process will start when a digital user is issued a PIN giving them access to download the app. The customer will select their preferred biometric – a thumbprint or facial image – and the smartphone will be used to capture it. This will be used to unlock the app in the future. When the app is opened in the future, the user will present the biometric to be verified. If successful, the app will be unlocked. Then it will communicate with DOT to verify that the device is authorized to present the license and that the license remains valid. “We’re not just giving them an image of a driver license that resides in their phone,” Lowe stresses. “When the app gets opened, instead of it calling up a photo or an image, it’s communicating back to us and verifying that the device is authorized to present the license. It also verifies the validity of the license and populates with the latest information when it’s opened.”

PRIVACY AND SECURITY The opportunities that come with a digital ID – the addition of biometrics and other security features supported by smart-


Kiosks enable license renewal, replacement While not as advaced as a digital driver license, Iowa is one of seven states enabling residents to use a kiosk to renew or replace documents as well. In 2013, the Iowa Department of Transportation decided to have to kiosks at the Iowa State Fair to see how residents responded, says Mark Lowe, director of Iowa DOT’s Motor Vehicle Division. Over the span of 10 days, the kiosks serviced 1,000 customers and convinced officials to use the kiosks more. In 2015 the state is planning to roll out 20 kiosks at various locations, including retail locations like grocery stores, Lowe says. Residents simply walk up to the kiosk and choose the trasaction they wish to perform. If it’s a license renewal they scan the bar code on their license and the camera in the kiosk will use a one-toone facial recognition check to compare the image on record with the individual standing at the kiosk. If the individual doesn’t have their license or it was lost they will be asked a series of demographic and knowledge-based questions, he explains. If they answer those questions correctly, facial recognition will be performed and the transaction enabled. The kiosks also asks other questions once an identity has been authenticated, Lowe says. Current address, organ donor status and other information is also confirmed during a kiosk session. After a payment is made the resident then receives a reciept for the purchase and the license will be mailed from a central issuance facility within days. While driver license tasks are what the kiosks will be used for to start, Iowa is considering other tasks as well, Lowe says. Once an identity is confirmed the kiosk might be used for prinitng out birth ceritficates, voter registration and fishing and hunting licenses. “We’re just scratching the surface with driver licenses,” he adds. Elsewhere, the Massachusetts Registry of Motor Vehicles deployed eight kiosks across the state for residents to renew or replace IDs, says Margaret Bouse, senior director of marketing and new market development at MorphoTrust. Massachusetts is the seventh state to deploy MorphoTrust kiosks with more states in the pipeline. “DMVs see this as a way to create a better customer service option,” Bouse says. “It encourages people to do the transaction themselves and gives a sense of instant gratification.” Like Iowa, Massachusetts is a central-issuance state meaning residents get a receipt from the kiosk transaction and their license arrives in the mail a few days later. She notes that for states that have over-the-counter issuance, residents would take their receipt to a clerk where they would wait for the ID to be printed. States are deploying the kiosks to reduce lines and wait times and increase customer service, Bouse concludes. It’s another option to mailing in renewals or doing it online.

Spring 2015

47


phones – could be an attractive option for providers. “I think it’s a very smart move,” says Alan Goode, managing director of Goode Intelligence, a London-based research and consulting firm. “I think if you compare it to what we have at the moment – paper documents and printed cards – there’s a bit of a situation. We’ve got a lot of fraud. It’s relatively easy to (create) a fake ID.” The pilot may help answer questions about what happens when users lose their phone – and subsequently their ID – and how much police are allowed to see if they’re handed the phone with the digital license. “People lose their licenses, they forget to bring their licenses. So the concept that somehow I didn’t have my phone or the battery was out hasn’t really changed the way that we would deal with that,” Lowe says. “The other side of the coin is I’ve given it to an officer to look at and I’m worried about him looking at other things in my phone. We think the answer is just part of the design of the app.” He suggests that they are not going to allow the handset to push other messages or information, such as incoming text messages, while the license screen is active. Additionally, the license screen can only be exited after the owner of the phone again unlocks the app.

By the time the app is publicly available, Openshaw expects it to have multiple security features to ensure that only the authorized user will be able to assert the digital identity. “We’re going to make sure that we have either the same or greater privacy protection on a digital driver license as we have put into the programs for the physical license,” she says. “I think many of those policies are going to have to come from our partners at the DMV with regard to what law enforcement can and can’t do with the digital license.”

OTHER TECHNOLOGICAL USES Planners envision all sorts of uses for the technology, like push notifications involving emergency alerts or driving records. It could also be a means of initiating various government services. “That’s the beauty of the mobile,” says Phil Sealy, senior analyst at ABI Research, a technology market intelligence company. “You could provide added value on top of the driving license app to encourage use and also to make it convenient and provide extra services.” Sealy thinks a digital license is a good way to reduce the cost of issuance, improve security, and verify identity. He says the trend toward smart ID cards

WE’RE NOT JUST GIVING THEM AN IMAGE OF A DRIVER LICENSE THAT RESIDES IN THEIR PHONE. WHEN THE APP IS OPENED, IT COMMUNICATES BACK TO THE DMV, VERIFYING THAT THE DEVICE IS AUTHORIZED TO PRESENT THE LICENSE

48

Spring 2015

in Canada, Japan, India and Europe shows that the broader move toward digital isn’t far off. “The app is making use of this whole sort of bring-your-own-device scenario,” Sealy says. “People are on the move and they need access to these services 24/7, and a mobile device allows you to do that.” Goode sees the Iowa pilot being the first of many and not just in the States. “Some European countries are investigating this,” says Goode. “I think with India’s national ID program, there is an opportunity there. Once you get a proliferation of smartphones within a community, within a region, then that kind of supports it.” The Iowa pilot involves figuring out the best way to get credentials onto the smartphone. Then, planners will explore ways relying parties could utilize the app. Goode describes a potential use in establishing a new bank account or mobile phone service. “This could be the kind of the digital ID that speeds up the process, so we don’t have to present ourselves at a branch or a mobile shop to sign up for services.” Iowa is eyeing a public launch of the app in 2016. Lowe sees this step toward digital identity as a natural evolution. “I think we’re just being responsive to the things that we’re using and seeing and asking ourselves, ‘why not?’”


We develop solutions designed for a secure and convenient consumer experience – across all channels. Solutions that help our customers increase efficiency, boost growth and build next-generation services. Visit our website to watch the 96 second video on how Gemalto is helping our customers to thrive in the digital world.

gemalto.com ENABLING ORGANIZATIONS TO OFFER TRUSTED AND CONVENIENT DIGITAL SERVICES TO BILLIONS OF INDIVIDUALS. LEARN mORE AT GEmALTO.COm

© Gemalto 2014. All rights reserved. Gemalto, the Gemalto logo, are trademarks and service marks of Gemalto and are registered in certain countries. January 2014 - Credit photos: Thinkstockphotos - CC

Trusted and convenient digital services for billions of individuals


MAKING PHYSICAL ACCESS EASIER, MORE FLEXIBLE WITH IP-BASED TECH AUTUMN CAFIERO GIUSTI, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS

It used to be that managing property access for the Barefoot Resort in North Myrtle Beach, S.C., meant having to manually control access privileges for hundreds of residents. Access privileges to the resort’s buildings, pools, beach cabana and gated parking lots varied from resident to resident. Ponderosa Management, the company in charge of 1,800 of the resort’s 3,000 homes and condos, relied on a traditional access system using dedicated lines to control physical access. “The system was time consuming, inefficient and expensive,” says Pam Basilicato, executive director of Ponderosa Management in North Myrtle Beach, S.C. Ponderosa looked into an Internetenabled physical access system to accommodate the growing community and ultimately made the switch. With the Internet Protocol (IP)-enabled system, property managers now control access to all areas of the resort from any computer or smart phone. “For owners, it’s simple. They call

50

Spring 2015

in, we issue them a card, and two minutes later, it’s programmed,” Basilicato says. Ponderosa Management is part of a growing trend. Both commercial and government organizations are moving toward Internet-enabled physical access control systems – and away from prior systems that required every door to be individually hard wired and programmed. “Anybody who’s deciding they need to use something other than IP to network their building is at least 10 years behind, if not more,” says John Szczygiel, executive vice president and chief operating officer of Brivo Systems, the physical security company that produced the IP-based system used by Ponderosa. People have started asking, ‘Why do I need wires at all?’” Connecting a physical access control system to an Internet-enabled backbone can ease a lot of pain for the end user. IP technology simplifies the infrastructure and can be more cost effective and easier to use. Still, some question if putting these

systems online makes them more vulnerable. Industry insiders contend that if such vulnerabilities exist, they stem from not having the proper protections and controls in place. “Its like asking, ‘Is my money safer underneath my mattress at home, or in the bank?’ Szczygiel says. “I think it’s safer in the bank.”

TECHNOLOGY DRIVES IP DEMAND Despite these concerns, more physical access control systems are incorporating IP technology. Cloud, smart phone and tablet technologies have helped drive the demand for Internet-enabled systems, which rely on a network connection to grant a person access into a building. “Generally speaking, everything today is designed to run on a network,” Szczygiel says. Through IP, the administration of a security system goes beyond just a single physical building. It can go across an entire


enterprise, routing access controls along corporate and worldwide networks. “That gives you more flexibility,” says David Helbock Jr., senior sales engineer in the federal division of security firm XTec. Two-way communication is one of the primary benefits of controlling access through IP. In the old days, many frontdoor physical access control readers used a Wiegand interface, a decades-old technology that provided only single direction communication. Each reader had to be hardwired individually to a central control panel somewhere inside the building. If one of the access control panels needed an update, someone had to go out and physically update the firmware. To gain access into a building, an individual had to hold up a card to the reader, and the system would send back a pulse to say whether it was okay to open the door for that person. With IP-addressable readers, however, more functions can be made available at the door. A door reader can check a biometric and send data back and forth from the network to the person at the door. Communication can also extend to other networks to more easily check cardholder status, credential validity or revocation lists. “IP technologies are scalable to meet a particular customer’s needs and offer exponential possibilities to the end user,” says Rick Focke, senior product manager for Software House, a security firm that is part of Tyco Security Products. IP readers can add a host of additional remote applications, such as employing the reader as an intercom or having users respond to customized questions or checklists. “Essentially, you have a smart device at each and every door,” says Conleth Donaghy, senior project manager for CEM Systems, a U.K.-based access control provider that is part of Tyco Security Products. “As these devices develop, they will become smarter and smarter,” says Brivo’s Szczygiel. “The costs should be reduced for the overall systems because you’ll be able

to put intelligence where it’s required, and not necessarily centralized.”

BROADENING SECURITY Given the high-profile hacking cases that have made headlines in the past year, critics have questioned whether networkbased physical access systems are at more risk than their older counterparts.

XTec system development manager John Schiefer says most of the security threats to IP-based systems that he has seen have come in the form of attempted, albeit unsuccessful, breaches. As far as a Jack Bauer-style breach where a hacker is sitting hiding in front of a building with a laptop, Schiefer has yet to see that happen. He has, however, seen other hacking efforts. “We’ve seen significant

WITH IP MORE FUNCTIONS CAN BE MADE AVAILABLE AT THE DOOR. A READER CAN CHECK A BIOMETRIC, CARDHOLDER STATUS, CREDENTIAL VALIDITY OR REVOCATION LISTS Szczygiel contends that twisted-pair cables are less secure than IP cables because they have no method to secure or monitor themselves. “The only security they have is that they’re buried in a wall, and the assumption is that no one knows how to find the wire,” he says. He suspects that IP is subject to more public scrutiny because high-profile hacking cases like last year’s Target breach garner media attention. “You did not hear about someone hacking wires and unlocking doors because it’s not big enough to make the 5 o’clock news,” he says. Software House’s Focke says that IP access control systems reside behind firewalls, so they are not exposed to internal network or Internet attacks. The use of virtual private networks can help corporate managers keep access control devices away from their employees as well. They typically feature standard encryption protocols, and some meet more complex standards for advanced encryption. As far as vulnerability goes, XTec’s Helbock says users need to be aware that because a system is IP based, it will need to have the proper controls and protections put on it. XTec has set up its access systems to grant login access through a smart card, a username and password, a biometric or a combination of two or more.

attempts to penetrate the systems, though a lot of times, they’re just feeling around,” he says.

STANDARDS EMERGE IP has spawned a whole new set of rules for monitoring and protecting physical access points. Security used to be run out of an organization’s guard shack. Now with IP-based systems, the security requirements come out of the IT department. It is often a matter of speaking with a tech person rather than a security guard. That change alone has created stumbling blocks in the transition from old to new systems. One of the challenges in migration has been to work with the resources inside of an organization to open the correct ports and assign IP addresses for controllers to talk to hosted services. “In the old days, it was a guy with a ladder running a cable down the hall,” Schiefer says. “Now you’re depending on the resources of the IT groups. It’s a learning process.” Traditionally, physical access control has been a proprietary market with little standardization. But standards have emerged in recent years, including the Physical Security Interoperability Alliance, the Open Network Video Interface Forum (ONVIF)

Spring 2015

51


and the Open Supervised Device Protocol Standard. In March, ONVIF released the current IP access control standard, known as Profile C, in an effort to achieve interoperability between clients and devices of physical access control systems and network-based video systems. The industry is trying to build more standards around device-to-device protocols, but the challenge is to standardize the setup without curtailing innovation. “If you make it too vanilla, you might not get some of the high-end features people want,” Schiefer says.

MIGRATION PICKS UP PACE Despite early hurdles, industry leaders say that IP technology is becoming the norm. “There really is no option to not have IPenabled systems. That is the way the world is going,” Szczygiel says. Focke says that there are pros and cons to IP-based systems, and it’s important to

52

Spring 2015

consider the needs of end users on a caseby-case basis. “Does the end user already have access control systems in place? What kind of budget do they have? What are the future plans for the location and possible expansion, or closure?” he asks. For some customers with large existing infrastructures, the benefits to migrate to IP may not yet compelling enough to justify the cost. Focke says there is no real integration between IP and the old Wiegand system, so adopting IP technology involves a nearly complete replacement of the existing access control system. This includes everything from running new cable to installing new edge devices or readers. Still some of these users are seeking a higher rate of security than they feel Wiegand can provide, and are moving to IP systems to address this in spite of the migration expense. “We’re seeing an overall industry transition to IP technology, but how we educate the customer on the benefits really is the

cornerstone of increased adoption,” says CEM Systems’ Donaghy. For Ponderosa Management, the IPenabled system has helped raise customer satisfaction levels because managers correct problems quickly and residents can use their cards immediately. They can also run activity log reports to see who is entering facilities after hours. If there is damage to the property, a manager can trace the incident back to a person based on their access card. The old system had the activity log capability, but Basilicato says it was time consuming to upload data and generate reports. “Now we get an immediate report with just a few clicks,” she adds. She points out that the when the infrequent problem with the new system does arrive, it can typically be solved with a simple reboot. “I miss nothing about the old system,” she says.


June 8 – 10, 2015 • W Hotel, Washington, DC

AT T E N D T H E 2 0 15 S I A G O V E R N M E N T S U M M I T

Where Technology Leaders Join to Meet Security Challenges WHY ATTEND

WHO ATTENDS

• Learn the latest on legislative and regulatory matters affecting the security industry • Gain a better understanding of the market drivers at work in the government space

• Security Executives • Sales and Marketing Professionals • Security Practitioners and Policy Specialists

• Network with government and privatesector decision makers

• Federal and Congressional Staff

FEATURING Top political and business communication advisor DR. FRANK LUNTZ

REGISTER TODAY AND SAVE! Thru 3/31

4/1 thru 6/8

SIA Member

$395

$595

Nonmember

$595

$795

Qualified Government Personnel

FREE

FREE

For more information and to book your hotel visit securityindustry.org/summit

Security Industry Association securityindustry.org


re:ID NATIONAL eID SERIES:

EUROPE LEADS GLOBAL PUSH TO eID

When is comes to identification on a national level, the landscape is changing at an incredible rate. At the tip of the spear are electronic identity credentials that are being used to do far more than just prove an identity. The modern national ID is helping to consolidate more services and functions than ever before, and adoption is hap-

pening on a global scale. In a report from Acuity Market Intelligence entitled “The Global National eID Industry Report,” it is estimated that global eID program revenues will peak at $10.5 billion annually in 2016. This figure is expected to hover around $8-9 billion annually thereafter. In terms of units issued, annual eID volumes will vary from 600 to 800 million units between 2015 and 2018. The overarching objective European countries adopting eID of eID programs is to bring the national credential up 2013 and before 2014 to speed with the digital Albania Luxembourg modernization of trusted Austria Malta Belgium Turkey identities. The smart cards, Czech Republic which may include more Estonia 2015 than one microprocessor, Finland Bosnia Herzegovina are enabling citizens to do Georgia Bulgaria everything from prove their Germany Russia Italy age to login to government Latvia 2016 services. Lithuania Croatia Key to this is the mobile Netherlands France device – the new standard Portugal Norway for connectivity. In response Serbia Slovenia Slovakia to mobile, the national creSpain 2017 dential is now expected to Sweden Greece be agile, easy to use and Ukraine Hungary technically complex enough Poland to facilitate the exchange of Romania information between people Source: Acuity Market Intelligence, “The Global Automated and federal resources. Border Control Industry Report”

54

Spring 2015

In an attempt to better understand the macro-level trends and underlying dynamics, throughout 2015 re:ID will explore eID initiatives on a region-by-region basis. First stop, Europe.

EUROPE AT A GLANCE Europe kicks off the series as the regional front-runner and bastion of eID implementations. The continent has seen the most rapid growth in the number of eID programs and is home to some of the most advanced and mature projects on the planet. There are 21 eID initiatives in place across the European continent, with an estimated 150 million citizens – roughly 30% of the continent’s population – in possession of an eID credential, according to a Gemalto whitepaper. These programs include 16 of the 28 countries of the European Union. According to Acuity’s report, of the total revenue generated for eID in 2013, Germany represented the largest at 26%. Germany was followed by the Ukraine at 17.7% and Spain at 16.8%. By 2015, the market is expected to shift with Turkey and Russia leading at 26% and 18.5% revenue share respectively.


FRAGMENTATION CREATES UNIQUE PROGRAMS Despite the overwhelming adoption across Europe, there remains wide contrast in how countries use the eID and the functions each support. It is because these programs develop to meet internal needs of the individual nation. Each national eID is a credential all its own, and is not the same as, nor is it an extension of, other credentials like an ePassport. “ePassports developed in response to very specific imposed requirements, but National ID programs are driven and defined by internal factors, not international mandates,” says Maxine Most, founder and principal of Acuity Market Intelligence. “So, while international initiatives, emerging best practices, and standards influence their development, national ID programs are not bound by outside authorities or influences,” she says. “They are as varied as the countries that implement them.” Another part of eID fragmentation may be the result of politics and cross-agency wranglings. Particularly as the eID continues to evolve and the number of use cases increases, more government entities get involved in the definition of an eID system. In Europe, eID programs are typically coordinated by the Ministry of the Interior, or similar governing body, and the national population register resides at the heart the system. Unfortunately, technical and IT resources are anything but equal across national borders.

Germany opts for contactless eID One of the world’s most sophisticated and mature eID implementations can be found in Germany. Launched in 2010, the German eID includes contactless smart card functionality with electronic signatures available via token or one-time password. According to a Gemalto report, more than 30 million German eID and resident cards were in circulation in 2014, 30% of which have been activated for use for online identification. The credential confirms identity, requiring only the necessary personal data elements for each specific transaction. It also supports age verification for products that require such confirmation in accordance with the country’s Youth Protection Act. The credential is also used to verify that online businesses are in fact who they claim to be. This is particularly important because the Youth Protection Act states that buyers of certain products sold on the Internet, such as video games, must have reached a certain age. In this way, the German eID authenticates and identifies all parties in eBusiness and eGovernment transactions, not just individual citizens. As a part of the project, the German government issued one million point-of-sale readers to merchants free of charge in an effort to boost adoption and use of services via the eID.

“For a traditional ID system there may only be one owner, a Ministry of Interior for instance,” says Stefan Barbu, head of secure ID sales and marketing Americas at NXP Semiconductors. “But in an eID scheme more stakeholders need to have a say.” For example, the Ministry of Health may be involved for benefits, the Ministry of

Justice for the PKI/electronic signature, the Ministry of Transportation for transit and the Ministry of Economy for the electronic tax declaration. “This institutional complexity makes it much more difficult for these projects to take off,” Barbu says.

Spring 2015

55


Global and European eID Card Volume Forecast

0

20

40

60

80

71.74

1000

82.21

800

91.31

2014

600

85.47

2013

400

59.98

200

34.65

Global Unit Forecasts (millions) 0

100

European Unit Forecasts (millions)

458.93 539.62

2015 2016 2017 2018

627.49 680.97 802.16 740.82

Source: Acuity Market Intelligence, “The Global Automated Border Control Industry Report”

The political climate of a country could easily sway the progress of an eID initiative, says Phil Sealy, ABI Research senior analyst. “Political uncertainty, a change in government officials, elections or only having partial support from government employees can cause delays,” he explains. “Even changes or amendments to laws can become extremely time consuming for an eID project.” Beyond that, Sealy explains that funding for eID projects is another challenge. “Extremely high capital expenditure is always a concern,” says Sealy. “This can be

even more of a worry in times of economic uncertainty, as projects may be delayed to further reduce government expenditure.”

EUROPEAN GEOGRAPHY DEMANDS INTEROPERABILITY, CONVERGENCE When it comes to eID initiatives on the European continent, interoperability seems to be another recurring theme. Given the shear number of countries packed within the continent’s borders, it has become a primary objective to ensure

HIGH LEVEL IT INFRASTRUCTURE, FINANCIAL RESOURCES AND A COMMITMENT TO PANEUROPEAN ELECTRONIC SERVICE DELIVERY DISTINGUISHES EUROPE FROM ALL OTHER REGIONS AND SETS THE GLOBAL EID BAR

56

Spring 2015

that European eID credentials are standardized. However, the standardization process is complex and progress has been slow. There are efforts underway to create a digital identity marketplace for online identity and authentication, Most says. “Europe has the Holy Grail in its sights, but it looks to be a long and somewhat harrowing journey,” she adds. If interoperability is the goal, convergence is the reason. “Domestically, converging e-services is the focus,” says Most. “Countries such as Estonia, Belgium, and Austria have cultivated environments where these services flourish, while Germany and Spain have distributed upwards of one million card readers promote the uptake of citizen eservices.” When people think about identity cards they think driver licenses and passports, so using them for access to other services is new, says NXP’s Barbu. “Increasingly governments want to integrate additional


Estonia goes mobile The program in Estonia is so advanced that it has transcended eID in favor of mobile identity. In Estonia, citizens have been using Mobiil-ID to interact with 400 public and private sector services since 2007. They use it for electronic banking, applying for a driver licenses, accessing academic grades from universities, voting, changing pension plans and more. Estonia is verifying these services using the electronic signature function of the mobile device, which the country considers legally equivalent to a physical signature. The system is based on a specialized Mobile-ID SIM card, which the customer obtains from a mobile phone operator. Private keys are stored on the mobile SIM card, along with a small application for authentication and signing. If a citizen were to use Mobiil-ID to log into a secure site, for instance a bank account, the process would go something like this:

The Estonian eID card is being used in conjunction with SignWise for digital signature. One of a host of Estonia's e-services, digital signature enables citizens to provide legally binding signatures and share documents in a secure, cloud environment.

The user first clicks the “Log in with Mobiil-ID” option on a supported website. The mobile device beeps and displays a screen indicating that a connection is being made. The user is then prompted to enter a Mobiil-ID pin code into their mobile device. The screen on the phone disappears and the website is automatically reloaded with a logged-in screen. Per e-Estonia.com, the official website for the program, the country also issues a chip card that carries embedded files, and uses 2048-bit public key encryption to enable it to be used as proof of ID in electronic environments. The 1.1 million active e-ID cards in Estonia represent 90% of the country’s 1.3 million residents.

services to their citizens with benefits, electronic signature and mass transit topping the list,” he adds.

STATE OF THE UNION Countries the world over are making the jump to eIDs, and Europe is leading the charge. Per the Acuity Market Intelligence report, European eID card program vol-

umes are due to peak in 2016 with more than 91 million units issued. Despite the differences between projects, all European countries can benefit from the infrastructure and social framework that supports the delivery of a national eID. “The high level of supporting IT infrastructure and financial resources, along with the commitment to pan-European electronic service delivery, distinguishes Europe from all other regions of the world

and sets the global National eID bar,” says Most. Despite political and economic factors still impacting adoption and implementation, Europe is an ideal environment to foster an eID program. European infrastructure has been a key contributor to the success of eID implementations thus far and will be vital as the continent continues its pursuit of standardization across borders.

Spring 2015

57


S.D. SCHOOL DISTRICT DEPLOYS ENTERPRISE-WIDE ACCESS CONTROL

Securing schools has always been a priority but the need has been underscored in recent years. Harrisburg School District in South Dakota is no exception. It had a physical access control system in place, but administrators wanted a standardized, district-wide security system. The district has eight buildings, one high school, two middle schools and five elementary schools, says Michael Christopherson, technology director for the Harrisburg School District. There are three building projects in the works as well, a high school addition, an alternative classroom and another elementary school. “We’re the fastest growing school district in South Dakota,” he notes. The three main priorities of the new physical access control system and security plan was have a way to conduct building lockdowns, add duress buttons and provide better access control to facilities, Christopherson explains. The district had been using a mix of Cyberkey and 125-kilohertz proximity

58

Spring 2015

technology, Christopherson says. Cyberkeys are proprietary key-like devices that communicate with a matching lock cylinder to provide standalone electronic access control without wiring. This system was problematic because every time a change had to be made each lock had to be individually updated, he explains. Two-years ago, that system was replaced with an access control system from Gallagher that uses 125-kilohertz prox throughout for access to facilities. Faculty and staff are issued cards, as are coaches and volunteers needing access during different times. Cameras were also added to the system so that whenever a point is accessed the cameras turns on. One of the advantages of the Gallagher system is the ability to program and schedule who should have access and when, Christopherson explains. “If there’s practice on Saturday we can control access,” he says. “We’ve issued cards to the fire department, even the milkman, and are

able to regulate access at specific times to specific areas.” The Gallagher system has worked well for the district in a large part because of the flexibility and the ability to add different functionality, says James Straatmeyer, owner of Integrated Technology & Security, the systems integrator that deployed the system in Harrisburg. “With other systems you often felt like your hands were tied,” he explains. “Gallagher’s system is super flexible; it can do whatever you want it to do.” The school is able to grant access by adding calendar updates to Microsoft Outlook. For example, if work is being done in the gymnasium of the high school after school hours, a Microsoft Outlook request can be made for the times that access is required. A supervisor would approve that request, a credential would be issued if one has not been and access would be granted for that specific time. The district was even able to hook its cafeteria freezers into the system. If something goes wrong and the freezer malfunctions, the system will send an alert to the appropriate individual, explains Christopherson. There is mobile functionality to the system as well. If someone arrives at the district central receiving office, an attendant can be notified on a mobile device and a live video of the visitor can be displayed on the handset. The duress buttons were another sought after feature with the new system. Each facility has two buttons, one at the main entrance and another in the office. As soon as one of the buttons is pressed, a text message with a link to live video is sent to the administrators in the building as well as the central office, Christopherson explains. Administrators have 30-seconds to determine if a threat is legitimate before the police and fire department are automatically notified. He adds that the new system met their three original priorities and continues to grow as new needs arise.


9th Edition

THE GLOBAL HUB FOR NEXT-GENERATION CITIZEN AND GOVERNMENT ID SOLUTIONS

QEII CONFERENCE CENTRE WESTMINSTER, LONDON, UK CONFERENCE: 9-11 JUNE 2015 EXHIBITION: 10-11 JUNE 2015 •

Security documents, border control, ePassports, eID, registered traveller programmes, document design, breeder documents and anti-counterfeiting… Major focus on biometric technology, document design and fraud detection. Plus, intelligent border control techniques More than 100 companies exhibiting from around the world – last few stands remaining Register to attend the exhibition for free, or book now for preferential rates to attend the conference – the earlier you book – the lower the rate!

www.sdw2015.com

Discounted rates for Government delegates – plus buy one place and get the second half price

New initiatives to boost attendance from senior-level Government and Law-Enforcement representatives

Lower rate conference places for delegates from Africa, Asia and South America

Meet 1750+ attendees from 65+ countries at this major global secure document and identity technology event

IF GOVERNMENT AND CITIZEN ID MARKETS ARE YOUR BUSINESS, SDW 2015 HAS THE ANSWERS...

ORGANISED BY:


RETRANSFER UPS THE ANTE FOR DESKTOP CARD PRINTERS QUICK, CHEAP AND HIGH-QUALITY ALL WITHIN REACH AUTUMN CAFIERO GIUSTI, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS

Fast, cheap or good. The old adage says you typically can’t have all three. The same has been true when choosing a card printing technology, but things are changing. The direct-to-card method has long filled the “fast and cheap” niche. The newer retransfer printing method delivers the “good” in the form of superior image quality. More recently, it’s become cheaper, too. Lower costs and a rise in chip card use are driving up the demand for retransfer card printers. In addition to the high-quality images, the technology also enables over-the-edge printing and printing on uneven surfaces often found when cards contain chips or other embedded technologies. This is due to the way color is applied to the card during in the imaging process. The direct-to-card method uses a print head to apply dye from a printer ribbon directly onto a plastic card. This tends to be faster and less expensive, but often provides a noticeably lower quality

60

Spring 2015

image and misprinting on uneven surfaces. It also causes wear and tear on the sensitive and costly print head, particularly as it encounters hard edges and surface imperfections. The retransfer method addresses these problems by applying the ribbon’s dye to a separate clear transfer film. This film is then attached to the plastic card as a single overlay so the print head never comes into contact with imperfections in the card’s surface or its hard edges. Today, secure applications from driver licenses to government IDs and corporate badges to student ID cards are moving to retransfer printing at an increasing rate.

COMPANIES OFFER BOTH Evolis is the latest card printer manufacturer to leverage retransfer technology with the addition of its Avansia printer. Evolis introduced the new line of printers late in 2014 after seeing an increase in


demand for higher quality cards, especially in government applications. “Avansia gives us access to different segments in transportation and government that we didn’t have access to before,” says Gerardo Talavera, managing director for the Americas for France-based Evolis. The Avansia printer line complements the company’s existing line of direct-tocard printers, and as Talavera says, the two printing technologies cater to the needs of different markets. He says retransfer printing generally serves markets that require cards with higher durability, security and image quality. Direct-to-card offers a lower cost alternative for high-volume print jobs in which a card’s life span and image quality are of less concern, such as short-term ID badges and loyalty cards. What makes the Avansia printer noteworthy is that it prints images at an ultra-high 600 dpi resolution, whereas the current standard for most high-resolution printers is 300 dpi. Talavera expects 600 dpi to rapidly become the new standard for ID printing. Government and financial institutions prefer retransfer printing because it enables printing on different card materials with uneven surfaces and embedded chips. To further improve image quality in such situations, Talavera says the Avansia includes a built-in card flattener. Retransfer printing is a more complex technology and costs more. It tends to be about 40% more expensive, Talavera says, for both printing costs and the price of the unit itself. Direct-to-card printing is ideal for inexpensive, entry-level print jobs that might require single-side printing with only a photo and text, such as convention ID badges, he says. There’s also greater speed with the direct-to-card method, which can make it more appealing for larger printing jobs. The Avansia prints 140 cards per hour while direct-to-card printers produce 180 cards per hour.

GAINS IN MARKET SHARE Insiders predict interest in retransfer printing to grow rapidly in the coming years. Today, reports suggest it accounts for about 15% of printer sales, up from just 5% a few years ago. “Over time, that might even get up to 20%,” says Connell Smith, vice president of distributed issuance, supplies and secure technology products for Datacard. The retransfer market is growing faster than the direct-to-card market, he notes. Experts attribute that rise to the increase in the use of smart cards and the fact that

“There was always this desire to print on these types of cards, and this really was the way to do it in the most effective manner,” he explains.

THE CASE FOR RETRANSFER Datacard’s Smith points to three reasons why organizations prefer retransfer printing. One is for over-the-edge printing in which the image is prominent. Direct-tocard printing produces images that don’t bleed over the edge of a card, and that can create a white line around the border of the

THE HIGHER-END RETRANSFER PROCESS ACCOUNTS FOR ABOUT 15% OF DESKTOP PRINTER SALES, UP FROM JUST 5% A FEW YEARS AGO costs are coming down for all types of printing. It used to be that a printer that provided good print quality cost $4,000 or more, but today it could cost just $2,500. At the same time, interest continues to grow for traditional direct-to-card printing. For printer manufacturer Zebra Technologies, more than 70% of the company’s printing revenues come from low to midrange direct-to-card printers and printer media, says Kelly Ambriz, senior product manager for Zebra. At both ends of the spectrum, Ambriz says sales are strong with printing unit revenues hitting record levels in a recent quarter. “The market is good right now, and we expect to see that into next year, too,” he says. Through its Fargo printer line, HID Global has offered both printing methods for a decade and a half, says Jim Meier, senior director of product marketing for HID. He says the growing demand for technology cards drove the addition of retransfer printing to HID’s offerings in 1999.

card. That might not be an issue for grade school student ID badges, but a financial institution wants a more sophisticated card appearance, he explains. By printing onto a clear film, the retransfer method can produce over-the-edge printing without any white border. The second is for the flatness of cards. If a card isn’t flat or even, a direct-to-card print head won’t be able to transfer the image reliably. “This is one of the reasons I think retransfer has grown,” Smith says, referring to the increase in the use of smart cards that often have a dimple on the card where the chip is embedded. The third reason for using retransfer is that it enables printing on a wider range of plastics. Whereas direct-to-card printing works only on PVC plastic because of its porous surface, retransfer can accommodate multiple print surfaces, including sturdier materials such as polycarbonate and PETG. Although PVC accounts for about 90% of the cards printed in the world, high-end government cards sometimes call for stronger types of plastic.

Spring 2015

61


HOW DOES RETRANSFER TECHNOLOGY WORK?

Flattener

The card is printed in two phases: 1

The card design is printed by dye sublimation on a transparent film.

2

The printed film is then fused to the card using a thermal bonding process.

Heat roller

And then there’s added security. Retransfer printing can enable the higher levels of card security by allowing the incorporation of techniques – such as a holographic and other visual security elements – in the transfer film and overlay process. Cards printed with retransfer film make it easier to detect fraud. “If an attempt to alter the image has been tried, it is easier to detect because the film will be affected,” Ambriz says.

Print head

Clear film

AN OVERSTATED ADVANTAGE? Despite individual preferences for one print type over the other, Smith contends that there are ways to achieve a similar outcome with both direct-to-card and retransfer printing. Because the technology is basically the same as retransfer from a printing perspective – you can have a 300 dpi resolution on both – in general, the quality can be similar on the two, he adds. “When people talk, they push retransfer more. But it’s all in the implementation; it’s not in the fundamental technology, even though there are perceptions out there that one may be better than the other,” he says. Although some promote retransfer as providing a better image quality, Smith says that may not always be the case. “Both types of printers can create high-resolution images, so there’s not one better than the other in terms of image quality,” he says. At one point, Datacard started printing cards with both retransfer and direct-to-card printers and showed the end result to partners and customers for feedback. Smith says people could not reliably pick out which

62

Spring 2015

Card

Color ribbon

Source: Evolis

print type was which. “Depending how well it’s implemented, you can get very good results with direct to card,” he says. Even with direct to card, the printer can print an image very close to the edge of the card. Smith believes the future of card printing will focus less on printing the image and more on the printer’s other capabilities, such as incorporating protective laminates or security features such as holograms.

FORTIFYING CARDS THROUGH PRINTING Vendors are working to bring more durability and security to cards through printing. There is a push to make retransfer film sturdier to address markets such as financial cards. “This is a card you’re going to

swipe frequently as you’re making your purchases,” says HID’s Meier. “The image will wear after a certain number of swipes, so adding durability makes the card last longer.” More high-definition print heads are finding their way into the retransfer space, too. Like Evolis with its Avansia line, other manufacturers are exploring printers that can produce 600 dpi images. Even as new advancements come into play, Talavera contends that there will continue to be a need for both printing technologies. “I don’t think there’s really good or bad,” he concludes. “You need to match the printer to the needs of the end user and what makes sense for their budget.”


Sponsored by:

ONE EVENT

EVERYTHING SECURITY

REGISTER TODAY AT ISCWEST.COM/AVI


VIRGINIA FIRST STATE POISED TO ENACT DIGITAL IDENTITY LAW GINA JORDAN, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS

Legislation in Virginia would create uniform standards for strengthening and authenticating digital identities. The Commonwealth of Virginia is taking the lead on this issue, as the first in the nation attempting to codify their way out of weak passwords, data breaches and identity theft. The bill has been approved by the General Assembly and awaits the Governor’s signature, which is to occur in March. The proposal is not a political reaction to recent newspaper headlines. It has undergone significant study – four years’ worth – by the Legislature’s Joint Commission on Technology and Science. The main sticking point has been how to handle liability for identity providers. To learn more, we spoke with the main authors of the bill. Jeff Nigriny is president and founder of CertiPath, a trust framework provider that certifies authentication and access control devices with a focus on high assurance for aerospace and defense industries. Timothy Reiniger is director of the digital services group at Future Law, a law firm and government relations firm based in Richmond, Va.

Q: Data breaches are becoming a weekly headline. How is identity an important part of solving or stopping this problem? NIGRINY: If we look at virtually every data breach and system hack over the past few years, weak identity mechanisms online are to blame. If we can fortify identity online with the same investment that the industry has put into the network security solution side, we will have taken away the primary mechanism that most every sophisticated hacker has used. Cyberspace is new, and the Internet on which it is largely based was created without regard to identity. It’s my belief that until we fix online identity, data breaches and system hacks are going to be commonplace.

Q: What does the bill do? REINIGER: First of all, both the National Strategy for Trusted Identities in Cyberspace and committees in the American Bar

64

Spring 2015

Association exploring these issues have identified a major barrier to the creation of a third party identity credentialing market in the unpredictability of liability for identity providers and the lack of a common legal framework. The bill addresses the creation of a common legal framework by providing a series of definitions to be enacted in statute – definitions that have been used in the contract world by trust frameworks and identify providers. Second, the bill addresses the unpredictability of liability for identity providers by providing significant limitations to that liability in order to incentivize private sector players to be identity providers and trust framework operators. Finally, the bill creates an actual standards body that is publicprivate. It is overseen by the state, in this case the Commonwealth of Virginia in the form of the Secretary of Technology. Because technology is shifting so quickly, there cannot be a one-size-fits-all approach and there cannot be one set of standards that is fixed for all time. This advisory council will be creating a minimum set of guidelines to be followed by trust framework operators. This would change over time, and this council would be looking to integrate and update its standards with the larger international community.

Q: How would it enable digital identity adoption? NIGRINY: Every time a user creates an account, selects a user name or self generates a password, that website or application provider is taking on an unnecessary risk through the use of such weak identity mechanisms. Strong online identity credentials like those used in the federal government are initially more expensive than a simple password. But if the user is able to use that strong identity credential everywhere, then it’s really no different than a fee you might pay for your credit card. If online application providers adopted systems based on properly validated identity credentials, it would be far safer and less expensive. We believe commercial organizations will be the most common providers of online identities. Those providers must be able to rely on a consistent legal environment in order


to adequately predict what the risk is going to be. Without it, fewer providers are going to be able to play in the market, which naturally results in higher cost to the consumer. So this bill does a lot to help with improving liability allocation and hopefully will drive to a lower overall cost.

Q: Does this legislation actually provide immunity to identity service providers? NIGRINY: The answer is no, but it’s a qualified no. The first thing to understand is that almost all the legal situations that people are familiar with in their normal business or consumer life are bilateral contracts where there are just two parties, be they individuals or companies. But the proposed identity bill seeks to resolve this ambiguity introduced through third party reliance on identity credentials. REINIGER: The common law as it exists does not accommodate this type of third-party identity system. What this bill does, however, is say that: 1. If an identity provider or trust framework operator issues a credential in a manner that’s not in compliance with the state minimum standard or a separate private contract or the standards/rules/policies of the identity framework in which the parties operate, there will be liability.

Q: Why does the bill focus on identity trust frameworks and their trustmarks? NIGRINY: Merchants don’t have a direct relationship with, or even knowledge of, every bank that might represent a credit card that a patron will present at their store. They trust the secure clearinghouse relationship that was established by Visa, MasterCard, AmEx or whomever. Trust framework providers handle certification and the continuous vetting of the credit card providers. In identity, we see the potential for large numbers of identity providers at various levels of assurance in the online identity marketplace. Unless a trust framework exists to help us aggregate all those providers, these websites and e-commerce portals and supplier portals – which I’m calling relying parties – will not be able to adequately understand what rules any given identity provider was issuing under or if that issuer is even still trustworthy. So the Commonwealth of Virginia, under the Secretary of Technology, is going to review and endorse trust frameworks that meet their requirements, and there’s going to be an official Virginia government listing. How does an identity credential prove that it’s part of that community? That’s where trustmarks come in. A trust framework operator can provide a digital token to certified members

THE COMMONWEALTH OF VIRGINIA IS GOING TO REVIEW AND ENDORSE TRUST FRAMEWORKS TO AID CITIZENS, IDENTITY PROVIDERS AND RELYING PARTIES

2.

3.

4.

If a credential is issued in compliance, there could only be liability if the identity provider is grossly negligent or it’s a wantonly willful act of misconduct. The bill distinguishes issuance versus misuse. It expressly says that an identity provider or an identity trust framework operator shall not be liable for misuse of an identity credential by the credential holder or any other person who misuses the credential. An identity provider can only control the issuance process. This bill does formally recognize the trustmark for the first time in this country and provides for a warranty. The identity provider using a trustmark is warranting that it has issued the credential in compliance with the state standards and the rules/policies of its trust framework.

that enable the identity provider to prove that they are a member in good standing and they’re following the rules of the framework they fall under.

Q: What was the catalyst behind drawing up this bill? REINIGER: There have been so many data breaches that the Virginia legislators are now using this bill as a consumer protection bill. They’re realizing that consumers need better protection than a simple username and password; they need to have access in an affordable way to third party credentials. They get now why we need to incentivize a private market of third-party credential providers and identity proofers.

Spring 2015

65


OSDP ACCESS CONTROL SPEC DELIVERS INTEROPERABILITY

NEXT STEPS INCLUDE IP-BASED COMMUNICATION, NEW PROFILES JOSEPH GITTENS, SECURITY INDUSTRY ASSOCIATION

In April, the Security Industry Association Open Supervised Device Protocol (OSDP) will be a key piece of the SIA InteropFest at ISC West 2015. OSDP has a long history as an access control specification. And the story has always been one of interoperability and new functionality. Born out of a mission to simplify custom integrations between vendors of access control panels and peripheral devices, OSDP is now an ANSI-standards candidate. It is gaining popularity as a building block for next generation physical access control and is currently adding support for Internet Protocol-based (IP) communication and other enhancements. The turn of the century was an interesting time for the security industry. Companies were looking for ways to remain current within the context of information technology convergence. In the area of access control, customers were demanding security solutions to be as feature-rich, secure and user-friendly as the applications on their PCs. They wanted capabilities such as message encryption between access control devices, event-based user feedback and the ability to leverage emerging smart card capabilities. But this proved difficult with the already over-extended security communications protocols – such as Weigand – readily available at the time. Access control providers began teaming up to patch together engineering workarounds to meet customer requirements. While there were some extremely successful deployments, the engineering support and development necessary to provide these custom-

66

Spring 2015

ized solutions proved a costly and unsustainable model. In search of a better way, Mercury Security and HID Global partnered to develop an open protocol to connect control panels with various peripheral devices while unlocking the potential of the increasing onboard computing resources within access control systems. The result was OSDP. Assigned to SIA in 2012 in order to promote its openness and enable the specification to evolve with input from the entire industry, SIA OSDP has a number of advantages over other security protocols: It is a better communications approach – bidirectional, more secure, fewer wires, longer range and multi-drop It offers unlimited application enhancements – direct biometric support, smart card interface, authentication, Federal Information Processing Standards compliance and interactive terminal capabilities It is open. Any solutions provider, integrator or end user can not only build products that conform to the specification but can also participate and contribute to its advancement. The SIA Standards Committee is producing tools that help solutions providers develop and test new features in an OSDP environment. About a dozen access control vendors have already released products that support SIA OSDP and many more are developing compliant products.


INSIGHTS Cutting-edge viewpoints on the use of security technology from the industry’s leading electronic physical security association. Learn more at securityindustry.org.

This growing support was on display a year ago at ISC West 2014 when seven vendors participated in an OSDP Interoperability Plugfest. Panel providers – Axis Communications, Mercury and Siemens – joined reader vendors Allegion, HID, Identiv and INID to demonstrate interoperability and different functional capabilities of their products when paired with different devices. This event also marked the release of the SIA Open OSDP Test Tool, a free application designed for implementers to test OSDP conformance. The Open OSDP Tool has three modes and can act as an OSDP control panel, an OSDP peripheral device or as a message sniffer between two connected devices.

WHAT’S NEXT FOR OSDP? The success of this event enabled the SIA OSDP Working Group to focus on delivering even more functionality to the industry. The security industry faces a new convergence as many companies, new and old, are embracing a wholesale shift toward IP technology, addressing the ever-increasing importance of cybersecurity and realizing that these access control systems are a part of technological phenomenon called the Internet of Things. Many of these devices will provide data streams that can be used as part of security and risk management. In the aggregate, they will also produce enough information that Big Data analytics now become a relevant tool for the improvement of an organization’s overall security posture. While the OSDP Working group has started looking at how the specification will remain relevant in the changing security landscape, the next tangible goal is to define application profiles. These profiles describe a set of capabilities and a set of OSDP messages that must be supported by devices that conform to a given profile. For example, an OSDP profile can be used to achieve compliance with the requirements of Federal Identity Credential and Access Management (FICAM) for deployment of physical access

control systems (PACS) within the federal government. The OSDP messages needed for FICAM may be very different than a simple PACS deployment in a commercial office building or a biometrics PACS deployment at a datacenter, where the peripheral is not even presented with a card. Ultimately, this profile scheme will enable testing and verification of compliance of the devices, which ideally will lead to interoperability of devices within each profile. The second tangible near-term goal of the OSDP Working Group is releasing SIA OSDP for use over Internet Protocol (IP). The current SIA OSDP specification (version 2.1.6) is specified for a multi-drop serial RS-485 communication channel, but the Working Group is committed to extending it over IP with minimal changes to its actual structure. The IP connection will solve the data throughput limitations of RS-485. Further, the use of IP sockets will permit the ability to run the TLS data security standard at the socket layer, which will gain OSDP-over-IP immediate acceptance by the IT community.

GET INVOLVED Participation in the Working Group provides participants with a rare opportunity to both serve their companies’ direct interests and assist in establishing standards that move the entire industry forward. The InteropFest at ISC West on Wednesday, April 15, will showcase the progress of the OSDP Working Group. The number of vendors able to demonstrate OSDP has doubled since last year, and the group plans to demonstrate working profiles and explain how the spec will extend toward IP and the inclusion in the Internet of Things. Joseph Gittens is director of standards at the Security Industry Association. He can be reached at jgittens@securityindustry.org.

Spring 2015

67


BIOMETRIC TECH GOES MAINSTREAM VIA NATIONAL TV ADS ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS

Two years ago, few would believe that television commercials would be touting biometric technology. But guess what? Today, ads promoting payments with your fingerprint and iPhone run on primetime TV. Pop star Gwen Stefani encourages consumers to use their MasterCard with Apple Pay to make purchases and win concert tickets, shopping sprees and other perks. Ads have run during the World Series, plugging it as a payment option at baseball stadiums, and during the NBA All-Star Game. Apple and MasterCard might be the big marketer in this arena but others are stepping up. Intel has a commercial marketing its True Key facial recognition technology with actor Jim Parsons of Big Bang Theory fame. True Key enables consumers to login to their computer or mobile device with a facial recognition app. While Apple wasn’t the first to put a fingerprint scanner on a mobile phone, it can be credited with bringing the technology to the masses. The addition of near field communication coupled with the fingerprint scanner to make payments extended the use of the biometric to more than simple unlocking of the device. Apple has also opened up the Touch ID API so that app developers can take advantage of the security technology for access or additional authentication events. Financial institutions and others are taking advantage of the fingerprint scanner on handsets as well as using voice or facial rec-

68

Spring 2015

ognition so users don’t have to enter long complex passwords on mobile devices. Apple Pay is another example of how the company takes something that’s been around for a while and makes it simpler. From enrolling cards to using the system, it’s just easy. Enrolling the cards was simple. I included the credit card associated with my iTunes account and then decided to add my debit card as well. For that, I took a picture of the card and it was quickly added to my passbook. I also had to go through the process of confirming my iTunes card as well. After both were enrolled, I received emails from my banks confirming the enrollment in Apple Pay. Now it was time to make some purchases, and first on my list was Walgreens. After the clerk rung up my purchases I placed my phone near the point of sale and the screen just lit up. It showed both of the cards I had enrolled, and by simply touching one or the other, I could choose the card to use. For the first purchase I choose my debit card, touched my fingerprint on the Touch ID scanner and received the short vibration prompt confirming the purchase was complete. But in this case that wasn’t entirely true. Since I used a debit card, the point of sale asked for my debit card’s PIN and then took me through the rest of the prompts – cash back and confirm amount – before finalizing my transaction.

The next couple of purchases I made I used my other credit card and it worked perfectly. I simply held my phone to the terminal, touched the fingerprint scanner and it worked. I was even able to pay for a cab that had an onboard contactless terminal. I had previously tested an add-on phone case that enabled me to make payments using my iPhone 4. It was extremely clunky to activate the phone and launch the app to make a payment. The fact that when you hold the phone up to the terminal it just works, and enables you to choose which card to charge the purchase to, makes Apple Pay very easy to use. And then there’s the added bonus of these transactions being more secure. They’re authorized with a fingerprint, while on the backend all the Apple Pay transactions are tokenized and account numbers aren’t ever shared or transmitted. It will be interesting to see how Apple’s NFC technology evolves. They’re making money off of each payment and it will be interesting to see how they open up the NFC capability to hopefully enable physical access control and other applications to take advantage of the new iPhone’s NFC chip. Apple will also be including NFC in the Apple Watch coming out later this year. With a half dozen handsets now including fingerprints for access, and app developers using facial or voice biometrics, it’s an exciting time for the mobile security market.


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.