Regarding ID Summer 2014 by AVISIAN

38 A SURVEY OF ID TECHNOLOGY - SUMMER 2014 - ISSUE 38

Exorcising the

biometric Boogeyman

Misinformation breeds monstrous tales of biometric technology

Some security technologies are sooooo yesterday.

Stay on the cutting edge with the interoperable iCLASS SE® Platform — for access control that’s never out of style. Choose HID Global’s iCLASS SE® Platform — the open, adaptable solution that easily integrates smart cards, mobile devices and whatever tomorrow brings, for greater security, flexibility, simplicity and performance. Now as your access control evolves, your budget will stay optimized and your security will always be in style. Start your iCLASS® SE Platform makeover at hidglobal.com/yesterday-reid © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved. HID, HID Global, the HID Blue Brick logo, the Chain Design, and iCLASS SE are trademarks or registered trademarks of HID Global or its licensor(s)/supplier(s) in the US and other countries and may not be used without permission.

RELIABILITY DELIVERED DEPEND ON CONSISTENT CARD PRINTING WITH DATACARD SECURE ID SOLUTIONS ®

Our printers, supplies and software are engineered and tested to work together so you can dependably deliver IDs on time and on budget. Our commitment to Secure Issuance Anywhere™ means that you can count on Datacard Group to deliver superior reliability and proven technology — anytime and anywhere you need it. Demand the performance you need. Demand Datacard® secure ID solutions. Get started by contacting an authorized Datacard partner near you. Call 1-800-995-0503 or visit www.datacard.com/id

Datacard and Secure Issuance Anywhere are registered trademarks, trademarks and/or service marks of DataCard Corporation in the United States and/or other countries. ©2012 DataCard Corporation. All rights reserved. Datacard and Secure Issuance Anywhere are registered trademarks, trademarks and/or service marks of DataCard Corporation in the United States and/or other countries. ©2014 DataCard Corporation. All rights reserved.

INNOVATION KEEPS YOU ONE JUMP AHEAD

90 countries 2014 Clay by SALTO

1,500,000 + locks

13,000 + projects

15,000,000 + people use SALTO products every day

Weâ&#x20AC;&#x2122;re driven by innovation. Guided by our insights into customer needs, we deliver industry-leading, next-generation electronic locking solutions without wires and without mechanical keys. Since 2001, SALTO has been redefining the access control world by continually being first to anticipate market needs in a rapidly evolving marketplace. We set new standards in security, manageability and scalability. With SALTO say goodbye to mechanical keys. SALTO hardware and software can be networked without wires to provide real-time intelligence and instant control, enabling integration with existing systems to improve manageability and enhance end-user experience.

SALTO SYSTEMS WORLDWIDE: Australia, Belgium, Canada, Czech Republic, Denmark, France, Germany, Italy, Mexico, The Netherlands, Norway, Poland, Portugal, Singapore, Slovak Republic, South Africa, Spain, Sweden, Switzerland, UAE, UK, USA.

www.saltosystems.com

HOW DOES YOUR COMPANY IDENTIFY ITS EMPLOYEES?

By providing ID badges instantly with an Evolis card printer Evolis card printers include modules allowing personal data to be encoded within the card. You can, therefore, use your badges to secure access and strengthen security within your company. Evolis printers together with cardPresso software offer an easy-to-use and powerful system.

www.evolis.com

CONTENTS

20 Cover Story: Biometric education a necessity The media’s portrayal of biometric technology is rarely accurate and often outlandish. Commercial biometric identification systems store numeric templates rather than images, and hackers can’t fool these systems like they do on TV. Consumers, media and lawmakers must be educated on how biometric technologies can increase security in privacy-enabling ways.

Editorial: Fla. lawmakers conjure biometric boogeyman State bans ID tech, schools less secure

ID Shorts News and posts from the web

Malaysian flight tragedy highlights passport 34 vulnerabilities

Summer 2014

Biometrics: Separating fact from (science) fiction The ID technology is under attack by lawmakers that don’t understand how it works 21

Political fallout elsewhere?

Shedding light on Florida’s biometric ban

Déjà vu all over again: AntiRFID legislation followed similar pattern

IBIA makes case for biometrics in schools

Spoofing confusion fuels biometric critics Publicized spoofs tend to be overblown and misinterpreted

Iris vs. retina biometrics: Yes, they really are different

U.S. federal smart card mandate hits decade mark Much has been done but still a long way to go

Lost Malaysian flight highlights passport system vulnerability

Oak Ridge Labs goes with PIV and CIV 51

Could two-factor authentication stop Heartbleed?

Using Apple’s Bluetooth iBeacons for access 40 40 Will Bluetooth kill NFC?

44 States adopt online ID vetting

Numerous obstacles have plagued near field communications. The technology has been crippled by the lack of both equipped handsets and access to the secure element. Amid the confusion, Bluetooth Low Energy has emerged as an alternative to NFC. It is included in the majority of today’s handsets and PCs, and what’s more, it’s easier to use.

State budgets are tighter than ever. In order to save money, agencies delivering benefits are looking to online identity vetting to speed up the application process and reduce in-person visits. The systems also help states prevent ineligible citizens from gaining access to benefits. But without face-to-face contact, can identities be accurately verified?

36 Technology choices abound for stronger digital identity Password replacement methods take many forms 40 Will Bluetooth kill the NFC chip? Some call it a more secure, easier to work with communication protocol 44 Vetting identity online for state benefits Health care ushers in secure access for citizen e-services 48 Hardware Security Modules: The gold standard for Encryption Key Security

51 Oak Ridge National Labs deploys combination PIV, CIV smart card ecosystem Large deployment includes 260 operating buildings, staff of 9,000 52

OpenID eyes top spot in online identity Newly standardized user authentication approach supported by tech giants

Two-Factor Authentication key to securing cloud

Today’s Contactless cards do more than just open doors Real-world deployments reveal range of secure services

Macao goes contacless for citizen IDs Region replaces contact chip cards to increase speed, durability

Could multi-factor have clotted Heartbleed Two-factor protects users from Mammoth bug’s sting

‘TEE’ it up for high-assurance transactions Trusted Execution Environments offer alternative to secure element

Managing logins with ‘CloudEntr’ Solution brings big business Identity management to the small enterprise

Summer 2014

ABOUT

EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andrew Hudson, andrew@AVISIAN.com CONTRIBUTING EDITORS Liset Cruz, Gina Jordan, Ross Mathis, Will Rodger ART DIRECTOR Ryan Kline ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions. avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2014 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.com

Summer 2014

FLA. LAWMAKERS CONJURE

BIOMETRIC BOOGEYMAN

STATE BANS ID TECH, SCHOOLS LESS SECURE ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS

When I see biometric technology mischaracterized on a show or in a movie I yell at the television as if the White Sox botched a routine double play. A character referring to iris biometrics as retina scans and another placing his fingerprint on a hand geometry scanner are two of the more recent offenses from network TV. My wife is a big fan of “Alias,” so when I told her they couldn’t recreate a fingerprint that easily she asked me to go into the other room and quit ruining her show. Seldom do TV and movies accurately portray identification technologies. In the past this was just an annoyance or pet peeve, but it is becoming a bigger issue. Misperceptions are leading misinformed legislators to do stupid things – like banning a technology they know nothing about. This spring Florida became the first state in the nation to ban the use of biometric technologies in public schools. The impetus for the ban was the Polk County School District’s decision to use iris biometrics to identify students getting on and off buses. They put the system in place and enrolled the students but failed to notify parents. Bad move. Parents weren’t crazy about the technology. Just an hour west on I-4 in Pinellas County, schools have been using palm vein technology to enable students to pay for lunch. In this case, parents were notified and had the ability to opt out, though officials report very few chose to do so. The system enables the school to get everyone through line quickly and efficiently and students need not remember cash, PINs or passwords. The technology has been extremely well accepted. Public schools aren’t great places to try out new ID technologies, especially without parental consent. In 2005 a California school outfitted student IDs with long-range RFID tags, the kind used for tracking livestock on ranches or products in the supply chain. Parents weren’t notified and when they found out, weren’t pleased. They feared that the tags would be read outside of school and could lead to tracking children or worse.

PERSPECTIVE

The outrage grew to the point that a state senator proposed outlawing all RFID technologies in California schools. This would have included the short-range contactless smart cards that are used for secure physical access control. This served as a rallying cry for the ID industry, which spent the next five years educating state lawmakers across the country on the different types of RFID and its positive uses. The bans were pushed back largely due to the efforts of ID industry lobbyists. I’m still astounded by the knee-jerk reaction of these pieces of legislation. In California lobbyists were able to talk to and educate lawmakers. In Florida, however, it seems that legislators refused to listen. Pinellas County officials testified on the benefits of their biometric rollout but were largely ignored. Other testimony detailed how these systems work and can be used to enhance privacy, but lawmakers rejected the notion.

Instead, they conjured up a biometric boogeyman that’s lurking in the corner waiting to hack template algorithms and snatch children’s souls … I mean identities. The bill’s sponsor admitted that she didn’t know of a single instance of a hacked template or stolen identity through a breached biometric database, but legislators still voted for an outright ban of the technology. Ultimately, Florida public schools will be less secure. As schools around the country seek to improve security of their facilities, Florida lawmakers have outlawed one of the most important tools toward this goal. What will be the next technology they aren’t willing to understand that might leave children vulnerable?

Do you know...

who has proper authorization to be in your secured facility?

SAFE

SAFE is a p is s ftwa s luti ha abl s d al ag ci s, D D aciliti s, a d h high s cu i y g a as alig wi h FICAM a d s a li h i physical s cu i y p ati s as i la s physical acc ss. Ou s luti c aliz s id titi s, su s c plia c , a d p id s c ti u us isk ass ss wi h u ha i g ip a d plac xisti g s cu i y i as uc u whil p idi g PIV, CAC, PIV-I alidati pl y s a d c ac s, ID au h ticati , a d physical acc ss audi abili y. Wi h h SAFE s luti , s cu i y a s ca w si pli y h c l pl y s, isi s, d s a d h hi d-pa y id titi s ac ss a gl bal ga izati su ach id ti y has h igh acc ss, h igh a as, h igh l g h ti . Visi

u w bsi

l a

: www.quantumsecure.com/government

Summer 2014

ID SHORTS

HIGHLIGHTS FROM SECUREIDNEWS.COM

RED HAT TAPS GEMALTO FOR REMOTE ACCESS Red Hat selected Gemalto to implement digital security tokens that enable remote access for the company’s more than 6,000 employees. Red Hat is a provider of open source software solutions, using a community-powered approach to

cloud, Linux, middleware, storage and virtualization technologies. Gemalto’s Protiva tokens integrate with Red Hat’s authentication technology for employees connecting to the company’s virtual private network and SAML-enabled applications. Red Hat execs wanted to protect the company’s sensitive information using more secure measures than just a username and password. Utilizing Gemalto’s OTP form-factor, Red Hat receives se-

Summer 2014

cure remote access with an extra layer of security. “Essentially, Red Hat employees will be carrying an everyday electronic device – be it a mobile phone, laptop or other smart device – that is served a Protiva digital security token, which is a two-factor authentication security measure,” says Thomas Flynn, vice president

of Identity and Access for Gemalto North America. “The first of those authentication factors would be a memorized password or piece of personal information and the second a randomly-generated, constantly-changing PIN number or code that presents itself on the device,” explains Flynn. “When entered into an online portal, these credentials verify an employee’s identity and allow remote access to Red Hat’s virtual privacy network, cloud applications and file stores.”

FACEBOOK TESTING ANONYMOUS LOGINS User-centric identity refers to giving the consumer control of what information they want to give up when registering at a web site. Facebook has often been viewed as the opposite of this because it doesn’t give the consumer a choice of what information is given up when registering for a new app. However, the social networking giant is reconsidering this and starting to test anonymous login to third-party apps. Mark Zuckerberg, announced the pilot program at Facebook’s F8 developer conference. Anonymous logins will give individuals the ability to test an app without giving up information. It will also enable consumers to use a Facebook login across multiple devices. The new system is designed to clearly state what information the user is giving up and eventually might let consumers decide what information they want to share. The move by Facebook is a good first step, says Olivier Amar, CEO of MyPermissions, a security technology company.

ID SHORTS

CALENDAR JULY

“Although there are still lots of open questions, Facebook raised the bar when it comes to accessing people’s personal information, data, privacy, and it is enabling users to take control over what others can access,” Amar adds.

Smart Card Alliance Special Edition Event: 10th Anniversary of HSPD-12 July 31 Marriott Metro Center Hotel Washington D.C.

SEPTEMBER

2014 Biometric Consortium Conference September 16 – 18 Tampa Convention Center Tampa, Fla. Global Identity Summit September 15 – 18 Tampa Convention Center Tampa, Fla.

SFO ROLLING OUT ADDITIONAL ID MANAGEMENT CAPABILITIES San Francisco International Airport has been using the SAFE Airport Identity & Credential Management System from Quantum Secure since 2010. The system automates identity management processes related to background checks, access credential issuance, physical access privilege assignment/

NOVEMBER

Janrain is also behind Facebook’s move, says Larry Drebes, CEO at Janrain, a provider of social ID and customer profile management services. “We fully support initiatives by social platforms to protect privacy and give more choice to their users,” he says. “Sharing one’s social identity with any business should be part of a clear give-to-get relationship where both sides understand the value they are receiving and their rights and responsibilities in the relationship.” Janrain plans to provide its customers with support for Facebook’s Anonymous Login.

OCTOBER

ASIS 2014 September 29 – October 2 Georgia World Congress Center Atlanta, Ga.

Smart Card Alliance Government Conference October 29 – 20 Walter E. Washington Convention Center Washington D.C.

CARTES Secure Connexions November 4 – 6 Paris Nord Villepinte Exhibition Centre Paris, France ISC East November 19 – 20 Javits Center New York, New York

termination and management of TSA-mandated audit and compliance regulations. The SAFE for Aviation solution comes with pre-defined policies, workflows and procedures for issuing badge credentials as well as granting or revoking access to airport facilities. The solution also simplifies adherence to TSA and FAA regulations,

Summer 2014

ID SHORTS

audits and security directives, minimizing insider threats and promoting greater operational security. It automates processes for conducting background checks for new airport workers and obtaining security clearances for access to secured locations from governing bodies like the TSA. This creates flexible self-service access rights to enable approved parties to enroll their own employees and subcontractors and grant them physical access rights while complying with and enforcing security directives. SFO Airport plans to deploy the following Aviation-related SAFE modules in 2014: Privilege Management Application: Provides the ability to define credential types and associate these

Summer 2014

credentials with necessary privileges and security checks needs, including the lifecycle management of these relationships. Financial Management Application: Enables the airport to manage financial transactions for contractors, third parties and other operators. Integrated Watch List Management Application: Enables the user to manage internal and external watch lists and update the TSA No-Fly selectee list to search for a possible match and highlight the same during the enrollment process. Mobile Infraction Management: Gives complete capability to the user to perform tasks and take actions on their smartphones and tablets.

Visitor Management: Manages the complete lifecycle of the visitors, including creation of an audit trail of visits and visitors checking in and fingerprinting schedule management for authorized signatories.

BIOMETRIC AUTHENTICATION WITHOUT ANY EXTRA HARDWARE When it comes to online authentication the goal is to make it easy, secure and inexpensive. The expense can often be tied to adding the necessary hardware and software. So, in a perfect world, nothing new would be required. Biometric Signature ID is going this route, offering an authentication service that enables users to enroll by draw-

ID SHORTS

ing a passcode consisting of numbers and characters into boxes using either a mouse or track pad. There’s an additional enrollment factor that’s captured as well where users click an on-screen keyboard to enter a password. The solution assesses the passcode’s pattern of length, angle, speed, height and number of strokes, storing the information in an encrypted database. By comparing this data to the data collected by the user’s subsequent logins, BioSig ID confirms that the person who registered is the same person trying to access a protected service. The technology can authenticate students accessing online classes and tests, says Jeff Maynard, president and CEO at BioSig ID. It is being used in 53 countries and all 50 U.S. states for student verification. Universities need to comply with the revised Education Act, meaning that institutions with online courses must have a process to identify that the student that signs up and takes an online course is the “real” student. The system captures more than just the gesture biometric, Maynard explains. “We collect all sorts of information around the authentication event and we have become adept at understanding that behavior from different IP addresses,” he says. The system is also being used in one of the pilots for the National Strategy for Trusted Identities in Cyberspace. The authentication technology is being used in the pilot with the American Association of Motor Vehicle Administrators and the Virginia Department of Motor Vehicles. The pilot is creating a trust framework to serve the public and private sectors. After that is complete, it will take identities from commercial providers – Google, Facebook, etc. – and enable consumers to add assurance to them. Consumers will use driver license data, which will be checked against the Virginia DMV, to add the extra authentication elements.

SURVEY: ENTERPRISES ARE ‘COMPLACENT’ WHEN IT COMES TO PHYSICAL ACCESS CONTROL HID Global surveyed 600 users on physical access control technologies to explore perceptions about change, the importance of industry best practices and how well technology and policy best practices are being implemented. The attitudes uncovered in the survey show how organizations can defend against increasingly dangerous and costly security threats, both now and in the future. “This survey raises questions about how well organizations are keeping up with the bad guys,” said John Fenske, vice president of product marketing, Physical Access Control with HID Global. “Complacency isn’t wise, however, and adherence to industry best practices will be increasingly critical in order to take

advantage of the coming generation of technologies and capabilities, including mobile access control on smartphones. A reliance on legacy infrastructure, technology and mindsets will make it hard to keep up with today’s technology advances that address a world of increasingly sophisticated threats.” Key survey findings include: Only 37% of users perform annual security assessments and most don’t contract a third party to test existing physical access control systems. This means users either conduct their own security audits or penetration exercises internally, or do not test their systems at all. More than half of respondents have not upgraded in the last year, and more than 20% haven’t upgraded in the last three years. 75% of end-users said cards with cryptography were important. The majority, however, also believes that

Summer 2014

ID SHORTS

EMPLOYEES AVOIDED WORKING FROM HOME BECAUSE AUTHENTICATING SEEMED A GREATER HASSLE THAN THE POTENTIAL BENEFIT

mag-stripe and proximity technologies provide adequate security, despite vulnerability to cloning. 75% of respondents state that the highest-security technologies were important or very important, but half said they weren’t implementing them well, or at all. More than 90% felt the most secure policies were important or very important, with only 70% feeling as though they were implementing them effectively or very effectively. The biggest barriers to best-practice implementation were either budget constraints or management not seeing value in the investment. Yet the cost of not investing in best practices can be very high – the Ponemon Institute, for

Summer 2014

example, estimates that a data breach can cost in excess of $5.4 million.

NIST STUDIES AUTHENTICATION EVENTS The National Institute of Standards and Technology surveyed 25 employees to better understand user authentication events, both in the real world and digital ones. The two-part study had employees first record all their authentication events over a 24-hour period. The second part of the study consisted of interviews with the participants regarding authentication. It was designed to answer the following questions: Where does authentication fit into the daily activities people carry out?

What characteristics of authentication may interfere with the primary activity that authentication is supposed to enable? What are the friction points? How do people add up the cumulative costs of authenticating multiple times each day, and how do they balance them against their own perceived security needs? How do people perceive the costs of performing security tasks – particularly authentication tasks – in comparison with the benefits of performing those tasks? Some participants had trouble figuring out what “authenticating” meant. One participant erroneously recorded unlocking his car with his remote key fob as an authentication event. Conversely, some

ID SHORTS

participants did not record showing their ID badge to a guard before entering the NIST campus. Study participants recorded an average of 23 authentication events each during the study period. Since many participants did not record authentication events outside of work, that number is most likely higher. Interviews revealed that participants were frustrated by the number of authentication tasks they had to perform every day – especially those they had to perform repeatedly, such as unlocking work computers that auto-locked after 15 minutes. Participants found that it took a lot of effort to manage passwords for multiple resources, especially since those passwords were often governed by different policies. Coping strategies included synchronizing passwords across multiple IT resources; employing password creation schemes; keeping password notes in a secure place; and employing password vaults or managers. Some employees reported avoiding “extra” activities – doing additional work from home – because authenticating seemed a greater hassle than the potential benefit. NIST participants are not unique in being impacted by authentication. “Password fatigue” is a common problem and expecting users to simply adapt to an excessive authentication workload is not realistic. The goal is to make authentication more usable but this will take time. Additional research is needed to show how authentication affects users and the habits they develop to cope with those effects. Until then, organizations can take steps to reduce the burden of authentication on their employees and other users of these systems, which will improve both security and productivity. Users expressed some authentication preference during the study, tending to prefer:

single sign-on (SSO) authentication standardizing password policies throughout the organization to make authentication elements easier to manage authentication coping mechanisms such as the use of password managers or vault applications.

CANADIAN MINT TAPS SECUREKEY FOR AUTHENTICATION MintChip is not just a flavor of ice cream but also a digital currency backed by the Canadian government. To secure transactions made with this new digital currency, the Royal Canadian Mint selected SecureKey’s briidge.net Connect Platform to provide device-based multi-factor user authentication. Developed by the Royal Canadian Mint, MintChip is a secure protocol for holding and transferring digital value. It has many of the attributes of real cash: its transactions are instant, irrevocable, easy and inexpensive for both consumers

and retailers. The currency is designed for anonymous, low-value transactions online and in the real world using contactless or NFC technology. The Royal Canadian Mint is rolling out a pilot with 200 employees to will use the briidge.net Connect Platform, says Andre Boysen, executive vice president of marketing at SecureKey. The briidge.net Connect Mobile SDK and service is built into the MintChip consumer mobile app, and will enable consumers to make cash-like MintChip payments using their smart phones and other mobile devices rather than current contactless payment card transactions. The briidge.net Connect Mobile SDK embedded in the mobile app enables the MintChip system to positively identify the mobile device connecting to the consumer cloud account through a unique device ID. Prior to a payment transaction, the software authenticates the user by their 4-digit QuickCode PIN. This QuickCode is like a debit or credit card PIN, but instead of being limited for use with just one card, the QuickCode can be extended across the user’s preferred

Summer 2014

ID SHORTS

BY THE END OF NEXT YEAR, STARWOOD PLANS TO INTRODUCE BLUETOOTH VIRTUAL ROOM KEYS AT ALL 123 ALOFT AND W HOTELS devices for added convenience. The briidge.net Connect service is adaptable to all forms of existing and emerging hardware-based security and can be applied to laptops, desktop PCs, mobile devices and even wearable technology to support payment of purchases made online and in-store.

STARWOOD ENABLES GUESTS TO SKIP THE CHECK IN Downloading an app on to a smart phone and being automatically checked in upon arrival at a hotel has been a use case for NFC-enabled smart phones since the technology was first discussed. But Bluetooth may be leapfrogging NFC in this arena. While it’s taking time for NFC to gain a foothold, two Starwood Hotel properties are taking advantage of the latest Bluetooth specification, enabling guests to skip the front desk and walk straight to their rooms, according to the Wall Street Journal.

Summer 2014

The system is being piloted at two Aloft properties – Cupertino, Calif. and the Harlem location in New York City. By the end of next year, the company is hoping to introduce the virtual key at all of its W and Aloft hotels, 123 properties in total. Guests staying at these properties will receive a message on the Starwood app that will contain a virtual key. Guests can use that key, along with Bluetooth technology, to unlock the door with a tap or twist of their phone. The company says the iPhone 4S or newer models along with Android handsets running 4.3 or later will be compatible with the system.

GERMANY, SWITZERLAND USING NEW EPASSPORT SPEC NXP Semiconductors announced that Germany and Switzerland are shipping supplemental access control electronic (SAC) passports based on its SmartMX2 family of secure microcontrollers.

The two European countries are among the first to roll out supplemental access control ePassports ahead of the European Union mandate requiring all new ePassports to be SAC compliant by the end of 2014. Built on NXP’s Integral Security architecture, SmartMX2 products have achieved Common Criteria Evaluation Assurance Level 6+ certification. Supplemental access control is an evolution of the earlier version known as basic access control. It is intended to future-proof security in travel documents. It is similar in function to basic access control and ensures that the contactless chip cannot be read without physical access to the travel document and that the data exchange between the chip and the reading device is encrypted. The new standard is based on Password Authenticated Connection Establishment. During the authentication phase, it implements asymmetric cryptography whereas basic access control uses symmetric cryptography. In addition, during the authentication phase, data encryption is based on a shared key

Text it. Tap it. Launch it.

OMG.

Take your campus card program mobile with CBORD®. • Access • Spending • Online Ordering • Account Management • Attendance Monitoring • And More!

CBORD 61 Brown Road Ithaca, NY 14850 607.257.2410 www.cbord.com

ID SHORTS

between the reader and the chip. This contrasts to basic access control, which generates a key based on the data in Machine Readable Zone. The latest spec aims to enhance data confidentiality and make eavesdropping impossible. Passports have a long lifespan and as such the security needed to authenticate and safeguard identities must have longevity. The International Civil Aviation Organization introduced supplemental access control in the third generation of ePassports to provide additional layers of security on top of those already deployed in the first two ePassport generations.

GEMALTO SUPPORTING NORWEGIAN EID PROJECT Gemalto will support BankID of Norway in creating a nationwide system for electronic authentication and legally binding digital signatures using the Valimo mobile eID solution. BankID is the central body for eID established by the Norwegian banking industry. The mobile BankID service works across all networks and phone types, and has already been adopted by more than 270 service providers in Norway, including banks and other commercial organizations. The addition of Valimo to the BankID online services infrastructure delivers new standards for Norwegian citizens using mobile phones and mobile devices to access banking or to digitally sign transactions. For banks and other providers, the arrival of a Mobile ID option for BankID offers the advantages of a unified and readily avail-

Summer 2014

able route to market for secure mobile services. Working with all the mobile apps offered by the banks in Norway, Valimo’s Mobile ID solution has a straightforward registration process that can be completed in minutes. Almost one million Norwegians are now employing the BankID system for secure online authentication, of which nearly 40% are using the Mobile ID app.

ABI: INTERNATIONAL DIGITAL IDS NEEDED In the U.S. there is the National Strategy for Trusted Identities in Cyberspace and in the European Union there is a similar initiative with the unfortunate moniker

of STORK 2.0, which stands for Secure idenTity acrOss boRders linKed 2.0. Both are government initiatives dealing with digital identities but they have different goals, says Phil Sealy, research analyst at ABI Research. NSTIC wants to create an identity ecosystem for use online. This may require use of a token or it may not, but either way the strategy is trying to create an ecosystem to enable use of secure, privacy-enhancing identities. STORK is different, it’s trying to enable cross-border use of credentials – government IDs – so that others can have assurance in an identity, Sealy says. For example, someone can apply for a job in another country and the digital identity will add a certain level of identity assurance to the application. “STORK is based on the use of a physical credential,

ID SHORTS

whereas NSTIC is open ended and embraces all the different types of IDs out there,” Sealy adds. The GSMA, the trade association for mobile network operators, is also exploring online identity initiatives. With an estimated 22 billion government ID, payment and SIM cards worldwide, there is a clear calling and emphasis being placed on the creation of international standards for securing digital identities. ABI Research recommends that all of these projects work together to create a framework so that no matter which ID is being used – physical card or digital – they can work on a trusted platform. Addressing how to break down the international barrier for interoperable digital identity is the bigger question. “The current levels of fragmentation are a clear stumbling block that is further exacerbated by the different approaches taken by individual companies. This is muddied even further by the differing national laws, security and privacy levels, infrastructure and standards used within each country.” The creation of an international ID standard for everyone to adhere to could help, but it’s unlikely that countries who have already invested heavily into identity programs will want to significantly reinvest, limiting uptake to those nations considering migration to next generation credentials and new projects. “Initiatives such as STORK 2.0, the work being completed by the GSMA on the mobile identity front and NSTIC are best placed to address the interoperability issue,” Sealy says. “Rather than the creation of an international standard, these initiatives are looking at how to embrace all credential and solution types, defining or producing best practices from which countries can follow and adopt to create the trust framework required for cross-border use.”

NAMETAG ENABLES STRANGERS TO GET A RANGE OF PERSONAL INFORMATION SIMPLY BY LOOKING AT THAT PERSON’S FACE WITH THE GLASS CAMERA.

FRANKEN: GOOGLE GLASS AND FACIAL RECOGNITION NOT A GOOD COMBO An app on jailbroken Google Glass devices would enable consumers to use facial recognition to find out personal details including name, photos and dating website profiles. U.S. Sen. Al Franken (D-Minn.), chairman of the Senate Subcommittee on Privacy, Technology and the Law, said he has serious privacy concerns about the new app called NameTag. Google currently bans facial recognition apps on Google Glass because of privacy concerns. Franken asked the app’s makers to limit the facial recognition feature to only those people who have given prior consent. He also asked the FacialNetwork.com, the maker of NameTag, to delay launching the app until best practices for facial recognition technology are established, noting that the app raises serious concerns for personal safety and individual privacy. NameTag enables strangers to get a range of personal information simply by looking at that person’s face with the Glass camera. This is done without that person’s knowledge or consent.

“I urge you to delay this app’s launch until best practices for facial recognition technology are established-a process that I’ve long called for,” Franken states in a latter. “At a minimum, NameTag should only identify people who have given the app permission to do so.” This isn’t Franken’s first foray into the privacy and biometric arena. In 2012, Sen. Franken held a hearing on facial recognition technology in his subcommittee, in which a Facebook representative refused to assure users that his company would not sell or share its face print database with third party apps.

FIDO ALLIANCE RELEASES DRAFT TECHNOLOGY SPEC The FIDO Alliance released its first public review draft technology specifications. These open technologies have been developed by a number companies worldwide to enable simpler, stronger authentication to scale in the market. FIDO standards address industry and consumer pain points by ensuring that users and online service providers have a variety of choices to select from when

Summer 2014

ID SHORTS

adopting simpler, stronger authentication alternatives to the reliance on singlefactor passwords. The FIDO specifications emphasize a device-centric model. FIDO specifications will support a range of authentication technologies, including biometrics, as well as further enable existing solutions and communications standards, such as Trusted Platform Modules, USB Security Tokens, embedded secure elements, smart cards, Bluetooth low energy and Near Field Communication. FIDO Alliance members are already developing FIDO Ready products and services based on early draft FIDO specifications. In October 2013, The FIDO Alliance began a certification program with FIDO Ready branding for implementations passing conformance and interoperability testing to early draft specifications. The 2014 Consumer Electronics Show revealed the first demonstrations of FIDO Ready products.

The system enables select credit card customers to use their voice to login with a spoken passphrase so they can access their account balances, search transactions and make a payment on their account in the mobile app. The solution, from Nuance Communications, addresses growing consumer dissatisfaction with PINs, passwords and security questions, while maintaining a secure system. With just a simple spoken passphrase, voice biometrics enables consumers to be securely authenticated when they connect with a service provider via a call center, mobile app or the Web. This latest pilot expands the work U.S. Bank and Nuance began in April 2013 when voice recognition was used for conducting basic functions, such as viewing account balances, searching transactions and making a payment on their accounts.

U.S. BANK EXPANDING MOBILE VOICE BIOMETRIC PILOT

MorphoTrust USA has been chosen to provide fingerprint-based background checks for public safety agencies in Massachusetts, New Jersey and Nevada. These agreements could yield up to $25.2 million in revenue over the next six years. The Massachusetts Executive Office of Public Safety and Security is working with MorphoTrust to establish a system for fingerprintbased background checks – including caregivers and applicants seeking to become adoptive or foster parents – as mandated by recent legislation. The background check system will also include Mas-

U.S. Bank employees are piloting voice biometric software that enables customers to speak a simple passphrase, such as “my voice is my password” to access a credit card account on a mobile device.

Summer 2014

MORPHOTRUST INKS $25.2 MILLION IN CONTRACTS

sachusetts public and private schools, including current and prospective employees and volunteers, as well as subcontractors and laborers who perform regular work on school grounds or have regular contact with children. The program will enroll up to 245,000 applicants annually at 33 enrollment centers around the state. The one-year contract can be renewed for five additional one-year periods and could generate approximately $9.1 million. The Nevada Department of Public Safety civilian enrollment and channeling program includes individuals seeking employment, volunteer and licensing opportunities in the state that require a fingerprint-based background check, including real estate, gaming, housing authorities, education and insurance. The program’s goal is to enroll 60,000 applicants per year. The four-year contract can be renewed for two additional oneyear periods and could generate nearly $700,000 over the full duration. The program with the New Jersey Division of State Police could enroll up to 400,000 applicants annually. All individuals in the state who are mandated by legislation to submit to fingerprint criminal history background checks will use the services. This includes but is not limited to licensing, foster and adoptive parents, employment, firearms applications and volunteering. The three-year contract can be renewed with two additional one-year periods and could generate $15.4 million. Applicants for these contracts will be serviced in the company’s IdentoGO Centers. IdentoGO Centers by MorphoTrust provide a number of identityrelated services through a network of locations, staffed by trained enrollment agents. Spanning all 50 states and U.S. territories, the primary service offered in each center is the secure capture and transmission of electronic fingerprints.

ID SHORTS

AUTHENTIFY SUPPORTS AAMVA NSTIC PILOT

In addition to AAMVA and Authentify, other pilot participants include the Commonwealth of Virginia DMV, Biometric Signature ID, CA Technologies, Microsoft and AT&T. The AAMVA pilot is the third NSTIC pilot project in which Authentify is participating. The other two are being led by Resilient Network Systems and Criterion Systems.

Authentify announced that it has been selected to support the American Association of Motor Vehicle Administrator’s pilot project for raising the level of trust in online identities. Known as the Cross Sector Digital Identity Initiative, the pilot is being conducted with the federal National Strategy for Identity in CyTABLETS EQUIPPED WITH berspace (NSTIC) proA STAMP-SIZED PALM VEIN gram and managed by its program office in SCANNER ARE BEING USED the U.S. National In- BY ONE JAPANESE BANK TO stitute for Standards SECURE REMOTE ACCESS and Technology. TO INTERNAL SYSTEMS The initiative will demonstrate the viability of leveraging Department of Motor Vehicles’ in-person identity proofing services to create a digital credential that can strengthen online authentication and trust when individuals access online services. Authentify will provide the infrastructure to issue mobile digital credentials once an identity has been vetted by AAMVA members and out-of-band (OOB) authentication services to validate PALM VEIN COMING TO the identity token’s authenticity when it MOBILE DEVICES? is used online. Developing greater trust and security The inclusion of fingerprint scanners in mobile handsets is gaining momentum, without sacrificing usability or privacy and talk of the addition of iris biometrics is a major driver behind the NSTIC prois stirring as well. Now Fujitsu is entering gram. As a grant recipient, AAMVA is the game with its palm vein biometrics working to develop a trust framework and plans to embed the modality into for strong digital identity credentials, mobile devices. which other online entities will also be The vascular biometric technology willing to accept. scans the unique vein pattern beneath

a person’s palm for identification. The technology is already used in laptops, and a stamp-sized version of the palm vein scanner has been placed into tablets. About 2,000 of the devices will be provided to Fukuoka Financial Group in Japan. The customized 12.5-inch Fujitsu Arrows Q704/H tablets have Intel Core i5 processors and run Windows, acting

as virtual desktops. Bank employees meeting customers off-site will be able to securely access their bank’s internal system using palm vein authentication. The palm vein scanners have been popular in health care and other applications where a “no touch” biometric is favored. Users can typically hold their hand over the scanner to be identified after enrollment.

Summer 2014

Exorcising the

biometric Boogeyman

Misinformation breeds monstrous tales of biometric technology

• Separating fact from (science) fiction • ID technology under attack by lawmakers that don’t understand how it works

ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS

Summer 2014

Procedural crime dramas haven’t done the biometrics industry any favors. Television shows make it look easy to lift a print, scan it and get a match within seconds. And if you look at how some of these shows depict creating fake biometrics, it’s a wonder anyone uses the technology. The unrealistic depiction of how biometric technology works in the law enforcement market carries over into commercial applications as well. This misperception that it’s simple to create copies of biometric images – and worse that the actual images are stored and easily compromised – have led many to believe that biometrics as an identification technology is insecure and privacy invasive. Case in point … the State of Florida passed a law banning the use of biometrics in public schools fearing that it might lead to identity theft and put students at risk. Testimony from State Senate hearings clearly shows that legislators lacked basic understanding of how biometric technology works. There was also a misperception that if one of the databases that stored the children’s biometrics were corrupted it would lead to identity theft. Even the Florida bill’s sponsor, State Sen. Dorothy Hukill (R – Port Orange), admitted to not know of an instance where a biometric database has been breached and later led to identity theft. “I’m obviously not a scientist,” she said in a hearing.

“I can’t tell you exactly how that happens.” That may also be because it is very difficult – biometric vendors would say impossible – to do. When an individual is enrolled and later authenticated into a commercial biometric system, the image of that identifying information isn’t stored. Biometric vendors use complex algorithms to map various points on the biometric – fingerprint, iris, palm vein, etc. – and translate that into a binary code called a template.

When later authenticating to the same biometric system, the live image is once again translated into the binary code to match against the stored encrypted version of the template.

TEMPLATE 101 Outside of the U.S. federal government, most biometric deployments use proprietary technology. This means vendor A’s technology may not work with vendor B’s technology even if they both use

fingerprints. Each vendor has its own template extractor and algorithms, says Mike Garris, Image Group leader in the Information Access Division at the National Institute of Standards and Technology. “With proprietary templates the vendor knows what’s inside and it can’t be leveraged by others,” he explains. A template typically represents less than 100 minutia points from the thousands available on the fingerprint. The points are mapped out, translated into binary code

Political fallout elsewhere? Janice Kephart is worried about the precedent that the Florida law presents. Kephart is the founder and CEO at the new Secure Identity & Biometrics Association and has served in the nation’s capital on a number of identity projects, including REAL ID. “Uber-privacy folks have a lot of support in the states and if this becomes an issue with the ACLU then you will see a significant ramp up,” Kephart explains. Florida has been a trendsetter for legislation like this in the past and it could set the stage for similar legislation across the country, Kephart says. “You have a base of folks that are organizing and it’s troublesome. We have a job to educate on the reality of the situation,” she adds.

because parents should be notified of when a biometric system is being deployed to avoid possible problems from the start. But the biometrics industry has some work to do to let people know how the technology works and what benefits it provides. Also legislators need to keep an open mind when looking at these issues. Politicians, including the sponsors of the Florida bill, did not return calls to reporters or industry groups, Kephart says. “The easy road is to use people’s fears to get votes, the harder road is to be a public servant. Failure to address questions on biometrics shows a lack of due diligence,” she adds. “They don’t have to agree but they have to agree to be educated.”

Illinois, Wisconsin and Arizona have passed laws that require parental notification and consent to use biometric in schools. This type of legislation isn’t a problem, says Kephart,

Summer 2014

and then stored. “Given only minutiae points, you can’t go back to the exact original image, the pixel data has been lost and if it’s a proprietary system only the vendor knows what information has been extracted and preserved from the original fingerprint,” Garris says. As for reverse engineering templates into images that are matchable, Garris says it is possible, but these images would look nothing like the original fingerprint image. Industry experts suggest that the resulting image would look like a constellation of 100 dots on black sky that in no way resemble a fingerprint. There are also standard templates where only the minutia points of a fingerprint are captured and encoded in a known representation. Standard-based systems have been tested and verified to work across multiple vendors. The federal government uses standards-based systems because it doesn’t want to be locked into one system with one vendor. Today, fingerprint is the only biometric modality with internationally accepted template standards.

LAW ENFORCEMENT VS. COMMERCIAL APPLICATIONS These systems are different from what law enforcement use and what’s seen on NCIS and CSI, says Gary Jones, director of Biometric Access & Time Solutions at MorphoTrak, a company that works

Summer 2014

in the law enforcement and commercial biometric markets. “When someone’s life is on the line it’s essential that you have as much information as possible,” he adds. Law enforcement systems often deal with partial, latent fingerprint images collected from crime scenes. These are scanned and then the automated system tries to find a match. If one is found, then an expert manually reviews both images to determine if there’s an actual match. “You have expert testimony that talks about the matching,” Jones says. In the commercial world, biometric systems don’t have to deal with partial images since the participant is willingly providing the information, Jones explains. “We can discard the image and have a high-assurance map,” he says. In essence, law enforcement uses the binary template to make it feasible for computers to search for one partial print across databases of millions of stored prints. Commercial systems, on the other hand, use the template to expedite matching and protect user privacy.

PALM VEIN AND FLORIDA SCHOOLS Fingerprints are the most common punching bag for biometric critics, but palm vein is another modality that is gaining popularity and is also seeing deployments in school lunch lines. The Pinellas County school district, near Tampa, has been using the scanners

Shedding light on Florida’s biometric ban The collection of biometric data in Florida public schools will be prohibited under a law that goes into effect this summer. Florida Gov. Rick Scott signed the legislation, prohibiting schools from taking palm scans, iris scans, or fingerprints of kids. “We don’t know where this technology is going,” said Sen. Tom Lee, chair of the Senate Judiciary committee. “How comfortable does this legislature feel about allowing the gathering of this kind of sensitive information without knowing how that information is going to be used in the future?” For Florida State Rep. Jake Raburn (R – Valrico) one of the bill’s sponsors, it’s a privacy issue. “No one, including the federal government, should be allowed access to our students’ personally identifiable information,” Raburn said. “This legislation will protect this sensitive information and prevent its misuse.” The Pinellas County school district, near Tampa, uses palm scanners to move kids through lunch lines. Barbara Dalesandro, a food service technology coordinator for the district, tried to convince lawmakers to reject the legislation. “When we had cards and PIN numbers, there was constant fraud. Other students always drained the accounts. There was a significant loss of revenue in that regard,” Dalesandro said. “We’ve been using palm scanning for four years with no problems from our parents.” Dalesandro said the biometric data is purged as students graduate or withdraw from the district, and it can be destroyed upon request. Her plea, however, seemed to fall on deaf ears. State Sen. Dorothy Hukill (R – Port Orange) said she sponsored the bill because she wants to protect kids from having their identity stolen and not finding out about it until adulthood. “You can’t change your palm scan. You can’t change your iris scan,” Hukill said. “These are unique physical and behavioral characteristics that cannot be changed. The question is why do we need this?”

but will have to find a new way to get kids through the lunch line under the Florida’s new law. Palm vein biometrics uses near-infrared light to record the vein pattern in a hand, says Gene Wright, product

manager for PalmSecure Biometrics at Fujitsu. The system has built in liveness detection because blood needs to be flowing through the veins for enrollment and authentication. As with fingerprints, palm vein systems do not store im-

Hukill told Senators 15 to 20 states are mulling the use of biometrics, understanding that once the information is collected, “you can’t go back.” She argued that not enough is known about biometrics to allow schools to use this form of data collection – even if parents say it’s okay. Lawmakers did debate whether an all-out ban was needed. “Wouldn’t it be more appropriate to be regulating this and allowing parents an option than to stop the program altogether?” asked State Sen. Darren Soto (D – Kissimmee). Hukill replied that most people have no idea what the use of biometric information means, and even those who do understand it shouldn’t have the choice to participate – for now. “I don’t think we have protections in place. I don’t think we have all of the information available to know what the long-term ramifications would be,” Hukill said. “We have no idea what the health ramifications will be long term. Think of a kid having their iris scanned getting on and off the school bus four times a day.” The bill actually does a lot of things relating to student privacy, based on recommendations from Florida’s Education Commissioner. It requires the use of student identification numbers in lieu of Social Security numbers, and it prevents the collection of information from a student or student’s family regarding political or religious affiliation, voting history and biometric data. It also gives Pinellas County an additional year to use palm scanners while the district comes up with an alternative system. The Foundation for Florida’s Future, founded by former Florida Gov. Jeb Bush, promotes digital learning materials and 21st century technology in the classroom. But the foundation is glad to see the brakes being put on biometrics. “Advancements in technology and connectivity bring new opportunities for student learning, but they also create a much different world than we knew even just a decade ago,” said foundation executive director Patricia Levesque. “Technology has changed

ages of the actual vein pattern, but rather templates. The technology captures data points on the palm and then checks against that for future authentication. Once a template is created, there are several other steps

Fujitsu takes to protect that data. Each sensor has its own specific encryption protocol. “Even if you intercepted the data stream from the sensor to the database it would do you no good if you tried to inject it into an other sensor,” he says.

over the years and it’s important to take a fresh look at how we’re protecting student data.” Those in the biometrics industry are flummoxed by the ban. “My frustration is that no one focuses on the benefits of this technology and they just look at the risk,” says Phil Scarfo, vice president of sale and marketing at Lumidigm. “If you focus only on the risks of using technology, companies like Goggle and Facebook wouldn’t exist.” Even the benefits of using biometrics in school lunch lines was dismissed without looking at any of the benefits, Scarfo says. “It’s simple and secure and an easy way to get kids through the lunch line without adding complexity,” he explains. “Kids can’t remember passphrases or PINs, and if you issue a smart card they’ll lose it.” Making sure schools have enough time to feed students is always a challenge and using biometrics helps get them through line quickly, says Mizan Rahma, founder and CEO at M2SYS. Schools have a limited time to feed 300 students, just imagine the chaos if these kids have to remember their passcodes and it slows everything down,” he adds. “It adds significant value.”

Also, the enrolment template is encoded in a way that would not enable it to be used for validation. “The validation template is in a different format and converted in a different manner,” Wright explains.

Also, each palm vein deployment uses a different type of encryption, so if one encryption key is compromised it doesn’t mean all of them have been hacked. “The encryption is unique to each partner or application provider so they

Summer 2014

can use it with their installed base,” Wright says.

ENCRYPTION FURTHER SECURES TEMPLATES While template use is common for commercial biometric deployments, so is encrypting the template data. Enterprises designing and deploying biometric systems need to use best practices for data security whether protecting fingerprint templates or other system data, suggests Garris. “A well designed biometric system will have data security built in, and it will encrypt the templates,” he says. Lumidigm makes sure its deployments take multiple steps to protect data, says Phil Scarfo, vice president of sales and marketing at the HID Global subsidiary. “Think of it as a unique, encrypted bundle that can be protected in even more ways than digital signature or a one-time password credential,” he says. No two biometric authentications are the same. Each time someone uses a biometric system the sensor gathers different information, which is translated into a template and checked against the database. The match is always probabilistic. “You basically have a secure tunnel between the user and the sensor, with unique information being exchanged. And if you were to login again there would be different information exchanged,” Scarfo says.

Summer 2014

While encrypting templates has become a standard practice, what would happen if a hacker got a hold a biometric template? The odds of reverse engineering a usable image from that template are extremely low, but could a stolen template – the binary code – be used for access? The possibility of an injection attack exists but only if the system is poorly designed , says MorphoTrak’s Jones. This kind of attack would attach an outside device to the scanner and feed the template code in that way. “Technically anything is possible but it’s about staying one step ahead of hackers,” he adds. “You need to include fake finger detection into systems and

make sure the binary information being entered is from the scanner and a live finger and not another device.” Those against biometrics also posit that once a biometric is stolen it’s gone forever. “There’s a misunderstanding that a biometric is like a Social Security number,” says Mizan Rahma, founder and CEO at M2SYS. “Templates change from implementation to implementation.” And templates are not images so there is really nothing personal to lose, he explains. Researchers are also working on a revocable template, says NIST’s Garris. This technology is still being devised but the basic idea is that if a template is corrupted it

could be taken out of circulation and a new one could be generated from the same biometric information. So, are biometrics a gateway to identity theft, or an easy and secure way to access a variety of services? Those who have worked in the industry know how to separate fact from fiction, but it’s obvious the biometrics market still has some work to do to inform politicians and the public on how the technology works and how it can be used to protect the privacy of users.

IBIA makes case for biometrics in schools The International Biometric and Identification Association (IBIA) advocates the use of biometrics in schools for various applications. The organization says that the technology is not a threat to privacy but rather a privacy enabler. Biometric data is already well protected. In the difficult and unlikely case that a person hacks a biometric database, all the hacker receives is the digital representation of the biometric – a string of ones and zeros that make up the template. This digital representation does not provide access to the biometric image or any biographic data. As a best practice to protect student privacy, IBIA recommends storing only the biometric templates and deleting them when a student leaves the school. Because templates cannot be used to search law enforcement biometric databases, student privacy is further enhanced.

It is not the biometric but rather the biographic data that needs the most protection, according to the organization. Names, addresses, dates of birth, genders and social security numbers have been the data targeted in the vast majority of highly publicized identity thefts, not biometric data. The IBIA advocates biometrics for the following applications in schools: School cafeterias: Biometric use increases speed and efficiency so that students have enough time to eat; curtails bullying and theft of lunch money; protects the privacy of students on free or reduced cost government lunch programs; and ensures auditable and accurate record keeping for reimbursement from the federal government’s $13 billion food programs.

Déjà vu all over again: Anti-RFID legislation followed similar pattern In 2005, the identification industry had a wakeup call when parents protested the use of RFID tags in student ID badges at Brittan Elementary School in Sutter, Calif. RFID tags were used to take attendance at the school when the children walked in the door. The plan was to eventually place scanners around the school to monitor student movement throughout the day. But it didn’t get that far. California State Sen. Joe Simitian, the Democratic lawmaker where the school is based, still has legislation pending that would restrict, if not prohibit altogether, the use of different types of RFID and contactless technology. Simitian’s legislation served as a rallying cry for many ID vendors. Prior to that, vendors hadn’t given much thought to educating lawmakers on what their technology does or how it works. Now, many ID vendors have lobbyists who track the different bills and attempt to combat restrictive legislation. The biometrics market may have to take a page from this book and employ its own lobbyists so that legislators are better educated on how biometric technology works.

School security: Biometric use at school entrances ensures that those entering the schools belong there; matches authorized parents or guardians with children to prevent kidnapping; and ensures that children board the correct buses and get off at their correct stops. School efficiency: Biometric use facilitates accurate recordkeeping and compliance with federal requirements, thus saving administrative time to be dedicated to the students.

Summer 2014

SPOOFING CONFUSION FUELS BIOMETRIC CRITICS PUBLICIZED SPOOFS TEND TO BE OVERBLOWN AND MISINTERPRETED The iPhone 5S, the Samsung Galax S5 and the HTC One all have fingerprint scanners – and have all been spoofed. Now, the state of Florida has banned biometrics in schools for fear that the identifying information will be breached, leaving children vulnerable to identity theft. While breaching a biometric database, reverse engineering templates and creating fake fingerprints seems like a lot of effort to go through, at least one of the steps is possible. As detailed in the cover story, biometric databases are encrypted and templates are just about impossible to reverse engineer. But what about the media reports of hackers lifting latent fingerprints and creating fakes that fool mobile devices? For some inexpensive scanners, and those designed for convenience rather than security applications, spoofing may be not be that difficult for determined individuals, says Mark Cornett, CEO at NexID Biometrics, a company focused on creating liveness detection systems for fingerprint scanners. This is why additional protections and liveness detection are a necessity – and a common component – in secure biometric systems. NexID works with cooperative spoofs – when the subject willingly gives up their fingerprint – as well as latent prints, where the image is covertly taken from a glass or other surface, Cornett says. When trying to grab a latent image, the first step is making sure to grab the correct fingerprint. Fraudsters need to watch the target to find out which finger is used to access the device. Then it’s

Summer 2014

a matter of grabbing that print off of a surface. There are a couple of different ways this can be done. First, a spoofer can use fingerprint dust to bring the image to the surface, Cornett says. The second way it to use a fumer stick. This is about the size of a pen and it uses superglue fumes to make the print visible. After bringing the fingerprint image to the surface, there are a couple of different ways to capture the image. One is to use tape to physically lift the print and then use a scanner to digitize the print. The other is to use a digital camera to photograph the image, but additional steps must be taken to make sure the scale of the image is correct. With practice, a spoofer can grab a print from a surface in 30 to 60 seconds, Cornett says. But things only get tougher from here. If the spoofer has the device and the print, then they are ready to start creating fake fingerprints. Back in the lab, the latent print is scanned into a computer, at which point the spoofer has a couple of different options. One of the more popular methods is to use a laser printer and create the image on acetate, Cornett says. The image will appear raised on the acetate and the spoofer can then smear on some wood glue or other mold material to create a fake. The resulting fake is not of high quality, but it can do the trick with low-end biometric scanners, he says. Other methods include etching the print image onto a circuit board via a chemical reaction or printing the fake using a three-dimensional printer, Cornett says.

Even with the variety of ways a spoofer can create fake fingerprints, biometrics is still a better way to secure devices than PINs or passwords, Cornett says. “A PIN is binary, you either have it right or you don’t,” he explains. “A fingerprint is analog, it still has to be good enough to fool the matching algorithm.” It is imperative that the public understands that while fakes can be created, it is a very unlikely attack against biometric systems designed for security rather than convenience applications. Secure biometric systems include liveness detection features that sense a variety of characteristics found only in living tissue. Thus, a photo of an iris, a rubber finger or a plastic hand from a 3D printer can be easily dismissed. So what about the spoofed iPhones and other handsets? NexID and others are working on software-based liveness detection systems that will secure these and other convenience-focused biometric devices from spoofing attacks as well. As with any other security system, you get what you pay for. Investing in a robust, advanced and proven biometric authentication solution remains one of the best means of security available, spoofers abound or not.

Sometimes it’s not enough that someone knows a password. Sometimes you need more certainty about who is accessing your facility, your records, your sensitive inventory — certainty that a password or smartcard cannot provide alone. Only biometric authentication veriﬁes who is present... and only multispectral imaging from Lumidigm provides the reliability, security and convenience required for your mission-critical application. When it’s important to have greater assurance of who is accessing your assets, choose Lumidigm.

www.lumidigm.com | sales@lumidigm.com | +1 (505) 272-7057 Summer 2014

Retina Retinal blood vessels Cornea

Iris

Optic nerve

Lens

IRIS VS. RETINA BIOMETRICS YES, THEY REALLY ARE DIFFERENT JOHN TRADER, DIRECTOR OF COMMUNICATIONS, M2SYS TECHNOLOGY

One of the biggest recurring issues that the biometrics industry faces is that the technology is often misunderstood, in turn perpetuating resistance to its use and creating assumptions based on a general lack of knowledge. Partially the fault of the industry itself for not being thorough enough on educating consumers about the differences in biometric modalities, there is no better evidence of the continued confusion around the technology than the idea that iris and retina biometrics are one in the same. Let me take a moment to explain the distinct differences between these two, unique forms of biometric identification. In biometrics, iris and retinal scanning are known as “ocularbased” identification technologies, meaning they rely on unique

Summer 2014

physiological characteristics of the eye to identify an individual. Even though they both share part of the eye for identification purposes, these biometric modalities are quite different in how they work.

RETINAL SCANNING The human retina is a thin tissue composed of neural cells located in the posterior portion of the eye. Because of the complex structure of the capillaries that supply the retina with blood, each person’s retina is unique. The network of blood vessels in the retina is so complex that even identical twins do not share a pattern. Although retinal patterns may be altered in cases

of diabetes, glaucoma or retinal degenerative disorders, the retina typically remains unchanged from birth until death. A biometric identifier known as a retinal scan is used to map the unique patterns of a person’s retina. The blood vessels within the retina absorb light more readily than the surrounding tissue and are easily identified with appropriate lighting. A retinal scan is performed by casting an unperceived beam of low-energy infrared light into a person’s eye as they look through the scanner’s eyepiece. This beam of light traces a standardized path on the retina. As retinal blood vessels are more absorbent of this light than the rest of the eye, the amount of reflection varies during the scan. The resulting pattern of variations is converted to computer code and stored in a database.

IRIS SCANNING The iris is a thin, circular structure in the eye that is responsible for controlling the diameter and size of the pupil and thus the amount of light reaching the retina. Iris recognition is an automated method of biometric identification that uses mathematical pattern recognition techniques on video images of the irises of an individual’s eyes. These subsequent random patterns are unique and can be seen from some distance. Unlike retinal scanning, iris recognition uses camera technology with subtle infrared illumination to acquire images of the intricate structures of the iris. Digital templates encoded from these patterns by mathematical and statistical algorithms enable positive identification of an individual. Databases of enrolled templates are searched by matching engines at speeds measured in millions of templates per second and with infinitesimally small false match rates. Hundreds of millions of people around the world have been enrolled in iris recognition systems for convenience and security purposes from passport-free automated border crossings to national ID functions. A key advantage of iris recognition, besides its speed of matching and its extreme resistance to false matches, is the stability of the iris as an internal, protected, yet externally visible organ of the eye.

SIMILARITIES AND DIFFERENCES While both iris and retina scanning are ocular-based biometric technologies, there are distinct differences that clearly separate the two modalities. Iris Recognition uses a camera, similar to any digital camera, to capture an image of the Iris. The Iris is the colored ring around the pupil of the eye and is the only internal organ visible from outside the body. This allows for a non-intrusive method of capturing an image since you can simply take a picture of the iris from some distance. Retinal scanning, on the other hand, requires a very close encounter with a scanning device that sends a beam of light deep inside the eye to capture an image of the retina. Since the retina is located at the back of the eye, retinal scanning is not widely accepted due to the intrusive process required to capture an image.

SIMILARITIES:

Low false accept and false reject rates High reliability because no two people have the same iris or retinal pattern Rapid verification of the biometric Strong protection against some spoofing attacks as the capillaries in the iris and retina decompose too rapidly to use a amputated eye to gain access

DIFFERENCES:

Retinal scan measurement accuracy can be affected by disease; iris fine texture remains remarkably stable Retinal scanning requires close proximity to an eyepiece, such as looking into a microscope; iris capture is a normal photograph process and can be performed at a distance Retinal biometrics are complex and have seen low commercial acceptance; Iris scanning is widely accepted as a commercially-viable modality Retinal scanning is considered to be invasive, iris is not considered invasive.

Summer 2014

HAPPY BIRTHDAY HSPD-12

U.S. FEDERAL SMART CARD MANDATE HITS DECADE MARK MUCH HAS BEEN DONE BUT STILL A LONG WAY TO GO ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS

As government documents go, “Homeland Security Presidential Directive 12” wasn’t very long – 717 words to be exact. But length isn’t any indication of influence, as a decade later the directive’s impact is still being felt throughout the identity market and is showing no sign of slowing. HSPD-12 called for standardized credentials for physical access to facilities and logical access to secure computer networks. It came in the wake of the September 11 attacks as the nation struggled to guard against an uncertain future and an unknown foe. Since the directive was signed in August 2004, almost 5 million credentials have been issued, covering 96% of executive branch employees and contractors. The

smart card specification borne out of HSPD-12 is known as FIPS 201. It is now on its third iteration. “The directive mobilized an entire security industry,” says Randy Vanderhoof, executive director at the Smart Card Alliance. “More than just the smart card credentials themselves, which was huge on its own, the directive altered the path of the identification and card issuance infrastructure that sits in front of the ID card, as well as the physical and logical access ecosystem that had to adapt to the cryptographic and biometric features of the credentials.” HSPD-12 ushered in a culture change for the executive branch of the U.S. government, and it paved the way for other identity initiatives including the National

JULY EVENT TO COMMEMORATE HSPD-12 The Smart Card Alliance is planning a one-day event to commemorate Homeland Security Presidential Directive-12. The “Government Conference Special Edition Event: Celebrating the 10th Anniversary of HSPD12,” held with support from FICAM and the Interagency Advisory Board, will take place on July 31 at the Marriott Metro Center Hotel in Washington D.C. The event commemorates the government-wide security directive signed by President George W. Bush in August 2004. The directive standardized the identity and credentialing efforts of government agencies and resulted in the FIPS 201 smart card standard and the PIV credential. Speakers will review identity and security advances over the past decade, as well as look at future developments for PIV credentials including their use on mobile devices and cloud systems. In addition to the main program, a small vendor showcase will enable attendees to learn about products and services fostered by HSPD-12. Learn more or register online at SmartCardAlliance.org.

Summer 2014

Strategy for Trusted Identities in Cyberspace. It’s not all a rosy portrait though. A decade on, use cases for the credential are few and the electronic functionality of the smart card is limited. Some agencies still look at smart cards as an “unfunded mandate” and more trouble than they’re worth. The latest version of FIPS 201 will enable derived credentials on mobile devices, though exactly how this will be done is still being determined. This may be the advancement that enables more applications for the credentials, as tablets and other mobile devices are becoming de facto computing devices for federal employees.

IT’S NOT PERFECT Rolling out smart cards throughout the executive branch of government hasn’t been an easy or perfect process, says Tony Cieri, leader of the U.S. government’s smart cardfocused Interagency Advisory Board. Cieri is on the front lines of government smart card projects and has been an advocate of the technology since the pioneering U.S. Navy projects in the 1990s. “The real question is, are we better off than we were 10-years ago and has anything changed?” asks Cieri. He says yes. The FIPS 201 standards, its numerous special publication supporting documents as well as the processes and infrastructure put in place are all positive developments, Cieri says. “When you gauge the success of this, look at how many things had to be done and what the landscape looked

like in 2004 versus where we are now,” he explains. “A lot has been done.” While the infrastructure and groundwork is in place, Cieri admits he would like to see more applications for the personal identity verification cards or PIV cards. “I would like to see the PIV used in many more ways,” he adds. And these applications are coming. The latest General Services Administration guidelines for physical access control calls for all new systems to use the PIV. The Department of Defense is also in the process of rolling out a physical access control system that uses the Common Access Card. “This isn’t about changing technology it’s about changing culture and acquisitions,” Cieri says. But HSPD-12 has also changed the technology. FIPS 201 and the PIV are considered by many to be the “gold standard” for identity credentials, says Jeremy Grant, senior executive advisor for Identity Management at NIST. Grant was working on government smart card projects at system integrator Maximus when the directive was enacted. Many government agencies had smart card projects deployed but HSPD-12 and FIPS 201 brought them to another level, Grant says. “It helped accelerate the pace of government smart card deployments and set a standard approach for agencies to tackle these projects,” he explains. It also helped cut the costs of smart cards and associated products while creating standards for interoperability. “They’re basically a commodity these days. As we look

PRIOR TO HSPD-12, THERE WAS NO STANDARDIZED WAY TO SOURCE SMART CARD CREDENTIALS FROM MULTIPLE MANUFACTURERS AND HAVE THEM BE INTEROPERABLE ACROSS ISSUERS

to expand the identity ecosystem, more offerings should look like the PIV, with a wide range of standards-based products readily available and supported by many companies,” Grant says. The impact on the smart card industry has been profound. “Prior to HSPD-12, there was no standardized way to source smart card credentials from multiple manufacturers and have them be issued by multiple, trusted issuance parties that would be interoperable in access control systems for multiple security services, like

door access, network log-in, and encrypted email,” Vanderhoof says. HSPD-12 went on to enable non-federal agencies to issue PIV-I cards, which extended trusted credential use to contractors, first responders and state governments. Grant often cites a single statistic – the 46% drop in network intrusions at the Defense Department – to show how the use of smart cards for logical access can help an agency. This statistic shows what strong authentication beyond user names and passwords can do for an enterprise, and it

Summer 2014

is a key driver behind the National Strategy for Trusted Identities in Cyberspace. While HSPD-12 was all about securing government networks and facilities for employees, the national strategy looks to put some of that capability in the hands of consumers and relying parties. “People often ask why we don’t take this PIV smart card technology and use it everywhere. On the consumer side it’s been harder to package strong authentication in a form

Everyday use cases for the credentials still don’t exist for many agencies. “Building out the security infrastructure that uses the PIV for everyday transactions has proven to be the most difficult part of this transition,” Vanderhoof says. “Getting the physical and logical access control systems updated and functioning remains a work in process. It has been tough to overcome the complexity that a full PKIbased security architecture requires when budgets are restricted by ongoing spending constraints.” This constraint exists even after a mandate from the White House Office of Man-

son says. “It’s a tragedy that the PIV isn’t used internally for access to their systems,” he adds. The latest version of FIPS 201 might change this with the virtual contact interface that expands contactless functionality as well as the new support derived credentials on mobile devices. “Once we have derived credentials it will enable use of digital credentials in many different ways,” Pattinson explains. “People are moving to mobile and tablet and once we have the derived credentials there will be a huge uptake in logical access.” Though most agree that FIPS 201 has

OUTSIDE OF THE DEFENSE DEPARTMENT, THERE ISN’T COMPREHENSIVE USE OF PIV FOR LOGICAL ACCESS AND THAT COULD BE THE BIGGEST DISAPPOINTMENT

that a consumer, retailer or other enterprise would be willing to use,” Grant explains. “Part of our challenge is to look at those barriers and partner with the private sector to overcome them.”

CHALLENGES AND SKEPTICS STILL ABOUND Some of these barriers still exist within federal agencies that are supposed to be using the smart cards. A decade later some agency IT officials still look at smart cards as a waste, says one government source. “There’s been incremental progress but not a wholesale embrace of PIV,” the official says. “Some agencies just don’t want to do it.”

Summer 2014

agement and Budget in 2011 called for all new physical and logical access control system to be FIPS 201-compliant. Skeptics suggest that though budgets have been tight, there has been a long enough time to start rolling out systems. There’s hope that adding derived credential functionality might be able to break down the obstacles and have the credentials used more for logical access tasks. “Outside of DOD we don’t have comprehensive use of PIV for logical access and that could be the biggest disappointment,” says Neville Pattinson, vice president for of government affairs and business development at Gemalto North America. Some agencies are using the credentials for limited logical access functionality but the majority of use, outside of the Defense Department, is for physical access, Pattin-

made great technological strides toward interoperability, policy challenges across agencies has kept true interoperability elusive. If an employee goes to work at another agency, instead of having their existing PIV enrolled into the other agency’s identity management system, they are being issued another credential, Pattinson says. “The credentials are viewed as site based,” he adds. A lot has been accomplished in 10-years and more still had yet to be completed. While the standardized smart cards don’t have the use cases everyone would like, they have instilled a new security culture for federal agencies. Hopefully in the next 10-years increased applications and security will be the norm for federal employees.

Trusted and convenient digital services for billions of individuals We develop solutions designed for a secure and convenient consumer experience – across all channels. Solutions that help our customers increase efficiency, boost growth and build next-generation services. Visit our website to watch the 96 second video on how Gemalto is helping our customers to thrive in the digital world.

gemalto.com ENABLING ORGANIZATIONS TO OFFER TRUSTED AND CONVENIENT DIGITAL SERVICES TO BILLIONS OF INDIVIDUALS. LEARN mORE AT GEmALTO.COm

Summer 2014

LOST MALAYSIAN FLIGHT HIGHLIGHTS PASSPORT SYSTEM VULNERABILITY MARK JOYNES, DIRECTOR OF PRODUCT MANAGEMENT FOR PKI, GOVERNMENT & NATIONAL ID SOLUTIONS, ENTRUST

The tragedy of Malaysian Flight 370 introduces a number of questions regarding flight safety, border security and travel document verification. During the investigation, it came to light that a pair of stolen passports – not to be confused with fraudulent passports – were used to board the flight. On April 4, the U.S. House of Representatives Committee on Homeland Security’s Subcommittee on Border and Maritime Security conducted a hearing, “Passport Fraud: An International Vulnerability,” that focused on this issue. Per a committee memorandum, the hearing: Examined the threat posed by individuals traveling on lost, stolen or fraudulent passports Discussed U.S. and foreign governments’ efforts to ensure the validity of air travelers’ documents.

IMPORTANCE OF THE DATABASE The INTERPOL Stolen and Lost Travel Document database is a critical resource that can help safeguard borders and travel – when properly used. The prime

Summer 2014

vulnerability exposed by Flight 370, as it relates to lost and stolen passports, is that countries generally do validate the passports of outbound passengers in any meaningful sense. Even the handfuls of countries – for example the United States – that do make use of the INTERPOL databases have not leveraged that capability to assess and verify outbound passengers. To eliminate this vulnerability, the U.S. Department of Homeland Security indicates they are now checking all outbound documents, which could represent a virtual doubling of Homeland Security-to-INTERPOL processing over a dramatically short period of time.

clues, is a vital component in the vetting of passengers through border control. With outbound travelers, however, the process is far less stringent. Adopting the Stolen and Lost Travel Document check for outbound passengers is an important first step to ensure lost or stolen documents are not being used. However, if the document is fraudulent or has not been reported stolen, there is nothing that can replace an outbound border control specialist with eyes-on training to pick up on important clues that something may be amiss.

THE ‘EYES-ON’ CHECK

While more than 110 countries are now issuing first-generation Basic Access Control electronic travel documents, very few – less than 15 – are electronically validating inbound passengers. And none of them are electronically validating outbound documents. Proper electronic validation – of both incoming and outgoing passengers – provides high assurance of the integrity and authenticity of the document, sig-

When arriving travelers make their way through customs, the Stolen and Lost Travel Document check is just one of a number of measures – both technical and procedural – that are exercised. Also included is an “eyes-on” assessment by a trained border control agent. This eyes-on check of the traveler context, providing behavior and body language

OUTBOUND VALIDATION IS CRITICAL

nificantly mitigating the threat of forgery. While the potential for technology failures is always a possibility, it still provides the means to appropriately process travel documents for secondary inspection.

USING ADVANCED PASSPORT TECHNOLOGY Leveraging more advanced technologies, like those associated with mapping the biometric of the individual to a trusted record at inspection time, would significantly address mitigation of the impersonation threat. Option include: Advanced facial geometry/recognition mapped against a trusted representation of the individual held centrally. Adoption of the European Union Schengen Area ePassports that are authenticated using second-generation biometric validation based on Extended Access Control protocols. These procedures could be implemented to verify the travel documents of both departing and arriving passengers.

When properly validated, Extended Access Control-enabled travel documents create a biometric binding to the individual and provide the highest possible assurance that the individual is who they claim to be. In the U.S., even if there is no adoption of Extended Access Control protocols for their own document and validation technology, it may very well make sense to implement that validation for EU documents, which are also supported by Malaysia and Chile with others intending to come online.

SAFEGUARDING NONELECTRONIC DOCUMENTS To date, more than 85 countries are yet to migrate to ePassport standards. Many of these countries also lack rigorous processes around supply chain, identity-vetting and identity/credential management in general. While the criminal focus often lies with documents that have bad standing or credibility, the non-chip documents of these countries represent a much easier target for fraudulent manipulation.

While ePassports and other electronic travel documents are receiving heightened attention, vulnerabilities around the evaluation of non-electronic documents remain. The physical security features of these documents are essential to validation. International authorities – INTERPOL, ICAO and IATA – as well as developed world countries with concern for the threat of fraudulent travel documents, need to focus their efforts on building capacity in the developing world to recommend and support the following: The provision of strong, fixed and variable physical document security features in machine-readable travel documents, especially where no electronic security features are anticipated Rigorous processes around control of supply chain, identity-vetting and identity/credential management critical to the security of the ecosystem Accelerated adoption of at least first-generation Basic Access Control ePassports.

Summer 2014

TECHNOLOGY CHOICES ABOUND FOR STRONGER DIGITAL IDENTITY PASSWORD REPLACEMENT METHODS TAKE MANY FORMS Each month that passes seems to bring about another password breach or Internet vulnerability. Enterprises are aware of the insecurity of passwords and actively seeking out different authentication technologies. Multi-factor authentication can go a long way to preventing many of these breaches as passwords are still the number one way hackers are gaining access to information on computer networks, according to the 2014 Data Breach Investigation Report from Verizon. Two out of three breaches exploit weak or stolen passwords, making a case for strong two-factor authentication, says

the Internet and small merchants either don’t password protect them, use weak passwords or leave the default ones in place. “The big problem was that the same password was used for all organizations managed by the vendor. Once it was stolen, it essentially became a default password and the attackers also gained knowledge of the customer base. Armed with this information, the familiar modus operandi of installing malicious code that captured and transmitted the desired data began,” the report states. Verizon recommends that merchants make sure all passwords used for remote

TWO OUT OF THREE BREACHES EXPLOIT WEAK OR STOLEN PASSWORDS, SO ENTERPRISES SHOULD MANDATE STRONG TWO-FACTOR AUTHENTICATION Jay Jacobs, co-author of the report and a principal at Verizon Business. “Across the board, hackers are focused on compromising identities,” he explains. The 2014 data breach report analyzes more than 1,300 confirmed data breaches along with more than 63,000 reported security incidents. In an attempt to gain a better understanding of the cybersecurity landscape, for the first time the report includes security incidents that didn’t result in breaches. Over the entire 10-year range of this study, the tally of data breaches exceeds 3,800. Weak or default passwords led to many of the point-of-sale attacks last year. Most of these devices are open on

Summer 2014

access to point-of-sales systems are not factory defaults, the name of the vendor, dictionary words, or otherwise weak choices. If a third party handles this responsibility they need to make sure they are adhering to this requirement. Also, two-factor authentication is crucial. Another area where credentials were targeted was with web app attacks. These attacks happen in one of two ways: exploiting a weakness in the application or using stolen credentials to impersonate a valid user. Within the financial industry, for example, hackers focus on gaining access to the user interface of the web-banking application.

“They target user credentials and simply use the web applications protected with a single factor – a password – as the conduit to their goal. The tactics used by attackers are all the usual suspects: a) phishing techniques to either trick the user into supplying credentials or installing malware onto the client system, b) the old stand-by of brute force password guessing, and c) rarer cases of targeting the application through SQL,” the report states. Verizon again knocks the single-factor password for these attacks and recommends that that enterprises mandate alternate authentication mechanisms.

MANY DIFFERENT APPROACHES ADDRESS PASSWORD WEAKNESS To combat these threats and bolster online security, vendors are coming up with a wide range of authentication approaches and technologies. The commonality is to make online identity more secure without adding burdensome hoops. The term “friction” is often used in conjunction with online identity. This doesn’t refer to the act of physically rubbing a token on to laptop or smart phone, but rather how much more difficult an authentication technology makes it to gain access to a web site or service. Simply put, no authentication scheme is without some friction. But the aim of technology providers and the replying parties who will deploy these new systems is to develop a scheme that is as friction-less as possible. Here are a few of the many companies working on solutions.

YUBICO Yubico offers a driver-less USB key called a Yubikey that serves as a second factor of authentication, says Stina Ehrensvard, CEO and founder of the company. Google uses the technology internally and seven of the top 10 Internet firms also use it for logical security within the enterprise. To securely authenticate software engineers to production networks and servers, Facebook deployed the Yubikey solution for quick and easy authentication of employees. The Yubikey is one of a series of two factor authentication options Facebook employees can choose. Using the cloudbased platform from Duo Security, an array of options – push, SMS, mobile, voice – can be supported. With Duo, users are given a choice of device and method each time they authenticate. Additionally, Duo supports all phone types, from smart phones to landlines, and lets users authenticate with a variety of authentication factors including the YubiKey. The YubiKey Nano is designed to stay inside the USB-slot once inserted. To authenticate, users simply press the device and a passcode is instantly and automatically entered, there is no need to physically re-type passcodes. Web developers can use widely available open source tools to create systems that enable the YubiKey for access, Ehrensvard says. She compares the Yubikey to a smart card in a keyfob form rather than a basic OTP device. “One-time passcode technology is good but there are emerging threats such as man-in-the-middle or man-inthe-browser attacks. It is better than passwords but not as good as smart cards,” she says. Smart card technology has its drawbacks as well, Ehrensvard explains. “Smart cards are complex, need readers, middleware and a Certificate Authority,” she says. “We’re trying to take smart

Summer 2014

card technology to the mass consumer market by removing the barriers and complexity.” The Yubikey doesn’t require any middleware, drivers or a Certificate Authority. Instead the authentication is placed in the browser, enabling Web developers to build authentication protocols that take advantage of the device. In its default mode, the YubiKey works by emitting a one-time passcode by emulating a USB keyboard. As almost all modern computers support USB keyboards, the YubiKey requires no additional client software. A user inputs a password, inserts the YubiKey into the USB port and then presses the button to emit the OTP. The OTP is verified by the software or service supporting the Yubikey, enabling secure login in under a second. Each time a new OTP is generated, it invalidates all previously generated passcodes. This means that even if a YubiKey is recorded, it cannot be used again to access a protected site or service. Each OTP is unique to the YubiKey it’s gener-

ated from, and cannot be duplicated or copied to another device. Yubico is a member of the FIDO Alliance, an organization dedicated to bringing high-assurance authentication to the masses. The alliance is working on a Universal Authentication Framework and a Universal Second Factor.

FIDO AND UNIVERSAL AUTHENTICATION The password-less FIDO experience is supported by the Universal Authentication Framework. Using this framework, the user registers a device to the online service by selecting a preferred authentication mechanism such as swiping a finger, looking at the camera, speaking into the microphone or entering a PIN. Once registered, the user simply repeats the chosen authentication action whenever they need to authenticate to the service. The user no longer needs to enter their password when authenticating from that device. The Universal Authentication Framework also enables

TO AUTHENTICATE, USERS SIMPLY PRESS THE DEVICE AND A PASSCODE IS AUTOMATICALLY ENTERED, THERE IS NO NEED TO PHYSICALLY RE-TYPE PASSCODES

experiences that combine multiple authentication mechanisms such as fingerprint and PIN. FIDO’s two factor experience is defined by the Universal Second Factor protocol. It enables online services to add security to their existing password infrastructure by adding an additional authentication factor. The user logs in with a username and password as before, but the service then prompts for a second factor device at any time. The second factor enables the service to simplify its passwords – a four-digit PIN for example may suffice – without compromising security. During registration and authentication, the user presents their preferred second factor – pressing a button on a USB device, tapping via NFC, presenting a biometric, etc. The user can use this FIDO Universal Second Factor device across all online services that support the protocol.

BLUETOOTH FOR ACCESS Kenneth Weiss, developer of the token-based authentication technology that became RSA’s SecurID, is working on a smart phone app that would enable users up to three-factor authentication to a laptop or PC – with no additional hardware. “You’re protecting your device with something you already have,” says Weiss, now founder and CEO at Universal Secure Registry. After downloading an app to a handset and computer, authentication is performed via Bluetooth, Weiss says. The individual authenticates to the handset and app with a PIN or passcode, which then authenticates to the computer for two-factor security. If the handset has a biometric reader it could actually reach three-factor security. The handset sends a passcode to the computer via Bluetooth every 30 seconds offering continuous authentication, Weiss says. When out of range the computer is locked. The app can also be set up for mutual authentication, so not only is the handset authenticated to the computer but the computer is also authenticated to the handset. While the app will initially be used for access to computers, there are plans to create an API so that it can be enabled for access to web sites and secure networks as well, Weiss says. Users could be automatically logged into sites and networks that accept the authentication technology. Universal Secure Registry is working on apps for both iOS and Android and plans to release in mid-2014, Weiss says.

TOOPHER Toopher is touting invisible authentication but also may have one of the coolest tag lines for an identity company out there: “cool enough for James Bond and your mom can use it too.” Once an enterprise enables a site for Toopher, a user’s mobile device can serve as a second factor of authentication, says Roman, Gonzalez, marketing director at the company. A consumer logs in to a Toopher-enabled site and opts to enroll their mobile device. They are asked to download the Toopher app to their mobile, if they have not already done so. A message is sent to the app, detailing the site to be added to the user’s Toopher chain. The consumer can choose to allow or deny the site. After approving the login request the individual would be logged on to the site. After this enrollment has been completed, the invisible authentication takes over. Toopher uses the geolocation feature of the mobile device, learning where a user typically logs in to various sites. If a login comes from a location that is not typical, a request is sent to the mobile to further authenticate prior to allowing the transaction. The system can also be used to authorize only specific transactions from a provider’s suite of services, Gonzalez explains. For example, if an individual is transferring funds or doing another high-risk transaction, Toopher can be used to authenticate the identity. The idea is to make transactions more secure without having to pull out the mobile device for every login, Gonzalez says. “It’s an invisible user experience,” he adds. Toopher is focusing on the financial services market for account access and also has a product that enables consumer to validate payment card transactions. The company also has products available for employee and enterprise access control.

COMBATING THE THREAT As the Verizon report shows, cybersecurity is more vulnerable than ever. Hackers aren’t going to stop going after weak user IDs and passwords. As breaches become increasingly common, the race to improve online authentication is in high gear. The examples detailed above show that there are many approaches – from hardware to software and active to invisible. A rich ecosystem of companies is emerging to combat fraudsters and help both consumers and enterprises combat this growing threat.

Summer 2014

WILL BLUETOOTH KILL THE NFC CHIP? SOME CALL IT A MORE SECURE, EASIER TO WORK WITH COMMUNICATION PROTOCOL Near field communication has been an “emerging” technology for half a decade. During that time, it has jumped the initial hurdle being deployed in handsets worldwide. But there are still obstacles to conquer if NFC is to truly go mainstream. Some are tired of waiting. “Physical access control has been a stale industry and this is one of the more exciting things to come around,” says John Fenske, vice president of product marketing for physical access control at HID Global. He’s not talking about NFC, but an alternative – some say competitive – technology called Bluetooth LowEnergy or Bluetooth Smart. Some in the physical access control and identity markets are looking at Bluetooth Low Energy as a solution because it’s already in just about every recent model handset and computer. The specification has been included on iPhones and Android handsets since 2012. Plus it doesn’t have the NFC ecosystem’s complexity that requires enterprises to work with mobile network operators to place a credential on the device. “The barriers to using NFC have been high,” Fenske says. “If you’re looking at using a phone with NFC and you want to put information on the secure element, you have to go through the mobile op-

Summer 2014

erator and they charge for that access.” Bluetooth Low Energy applications, however, can be embedded elsewhere in the handset. HID or its dealers will have online portals where enterprises can provision access, he explains. Once all the proper information is entered into the portal, a user will be sent a link to download the app on to their device. Usability has been another issue with NFC. It can be tough to use, and is rarely as easy as tapping a handset against a reader to enable an NFC credential, Fenske says. “We need to reconcile this,” he says. “NFC needs to be about consistent and powerful transactions.” Whereas NFC can typically be read from less than an inch away, Bluetooth can transmit at a distance of 10 to 15 feet. With this longer read range the problem then becomes how to decide when a specific door should open. HID is addressing this issue by including a gesture-based activation system. After walking up to the reader the user rotates the phone in a specified manner to activate the device’s built-in accelerometer that normally controls screen orientation. In this case, the motion triggers the credential and sends it to the access control reader.

A traditional knock against Bluetooth has been a lack of security, but the new specifications include 128-bit encryption. This has helped to lock down transmitted data clearing the way for more secure uses of the technology. “Bluetooth was promiscuous but now not so much,” says Lee Odess, general manager at Brivo Labs.

COMPETITIVE OR COMPLEMENTARY? Odess believes Bluetooth and NFC can work as complimentary technologies in the physical access control world. Bluetooth can be used to get you in the front door of an office building and NFC can be used to unlock your office door or more secure areas of the building, he suggests. But it’s going to depend on what kind of security the enterprise wants to put in place, he says. It ultimately may come down to the prevalence of a technology, and when it comes to that, Bluetooth is in the lead. “If I had to place a milliondollar bet on which technology is going to win, I would say Bluetooth,” he says. As it’s often lamented, the iPhone has not committed to NFC. With every iteration of the Apple handset the rumor mill swirls with “will they/won’t they”

discussions. Some don’t think that Apple will ever include NFC, instead favoring its own iBeacon technology, the company’s Bluetooth Low Energy solution. Apple seems to be launching iBeacon initially as a marketing tool. Retailers can place iBeacons in their stores to offer up promotions and deals to get people to visit. But there’s no obvious technical reason it couldn’t be used for other purposes. Apple isn’t the only one getting behind Bluetooth. Wearable technologies – like the Jawbone Up, Fitbit and others – use Bluetooth to keep in constant communication with smart phones. Moreover, it’s a virtual given in laptops and desktop computers purchased in the last two years. “NFC is playing in a completely different field than Bluetooth,“ says Scott Kern, lead architect for identity and access management at Verizon Enterprise Solutions. “It’s great for point-of-sale but when you talk about a rich ecosystem with plenty of devices, that is not NFC.” Verizon is looking at a day when there can be multi-factor authenti-

Summer 2014

BRIVO LABS EXPLORES ‘CONTEXTUAL’ ACCESS CONTROL Brivo Systems is known for its cloudbased physical access control technology, but it launched Brivo Labs to work the cutting edge of physical access control. The new group is exploring “contextual” physical access control systems with the tagline “single sign-on for the physical world,” says Lee Odess, general manager at Brivo Labs. Typically physical access control is about keeping people out, but Brivo Labs is dedicated to enabling access based on permissions. “We’re looking at social access management,” Odess explains. “Instead of

cation that doesn’t require the user to do anything. Between a wearable device and a smart phone, a user could walk up to their laptop and be authenticated. “You can start building an ecosystem that ties back to the individual and doesn’t require them to authenticate,” Kern says.

controlling access we want to know how people can manage their own access.” Brivo Labs is calling this Social Access Management and will enable clients to use the same identity at the office, at a sports stadium, movie theater and even at home, Odess says. One of the first systems Brivo Labs is working on is a visitor management solution called randivoo – pronounced rendezvous. Randivoo is being built into Salesforce. com to enable employees to provision access for visitors. Prior to the visit, the sponsor will send an email with a meeting request. From there, the guest will

The fact that consumers are already holding devices that have this technology solves the chicken and egg problem. If companies build products that take advantage of Bluetooth Low Energy, they can already start to use them without any additional effort, Kern says. “We aren’t starting from scratch,” he adds.

download the pass – such as a QR code – on to a smart phone. The system automatically sends a reminder the day before the meeting. When the guest arrives at the building, he goes to the kiosk and scans the QR code. A credential is issued to enable access to the appropriate area in the building, Odess explains. After the guest scans the code, the employee sponsoring the meeting is notified that the guest has arrived through a text message or other preset means. Eventually, the system may also take advantage of NFC and Bluetooth Low Energy instead of the QR code.

Brivo plans to enable guests to use any type of social identity, including Facebook, LinkedIn or Twitter. “We’re enabling the building or the person to determine what level of security they want,” Odess says. “It depends on the contextual security that the enterprise wants to use.” The idea is to have this type of physical access control system used at movie theaters, sports stadiums and other venues as well, Odess says. Brivo Labs is also looking at how Google Glass, Nike Fuelband and other wearable technologies can work with physical access control technologies to expand this contextual world.

SOME DON’T THINK THAT APPLE WILL EVER INCLUDE NFC, INSTEAD FAVORING ITS OWN IBEACON TECHNOLOGY, THE COMPANY’S BLUETOOTH LOW ENERGY SOLUTION

Summer 2014

VETTING IDENTITY ONLINE FOR STATE BENEFITS HEALTH CARE USHERS IN SECURE ACCESS FOR CITIZEN E-SERVICES ANDREW HUDSON, ASSOCIATE EDITOR, AVISIAN PUBLISHING

Summer 2014

Anyone who has applied for social service benefits knows that reporting to a brick-and-mortar office can be painful at the best of times. It is for this reason that many states are turning to online application processing. But while the jump to online benefits applications makes sense for many reasons, not the least of which is convenience, there are vital concerns that must to be addressed to ensure these systems are secure as well as easy to use. Vetting an identity online can be a tricky business, but thankfully, there are entities working to ensure that a citizen applying for Medicaid, child welfare or similar service is who they claim to be.

BIG DATA PROCESSING How do you establish a person’s identity via an online portal? LexisNexis is one of a handful of companies using public data to offer state agencies a level of assurance that a person is who they claim to be. “We have identity records for 585 million people alive or deceased and can provide that data to commercial and government organizations to actively identify their user bases,” explains Alisoun Moore, senior director of government health care at LexisNexis Risk Solutions. Companies like LexisNexis can provide access to the history of identity information. “If you register to vote, buy a car or apply for a driver license – things you typically do between the ages of 16 to 21 – we start tracking you from that moment forward,” says Moore. “It’s all public records information.” “We take information from about 10,000 sources of public record data, all standardized under Fair Credit Reporting Act,” she explains. Public records contain virtually all the information that a state agency needs to verify a citizen’s identity. “If you rent

an apartment or purchase a home, that address is public record and can be used to establish residency,” explains Moore. “If you find that a person has several addresses that are current, for example, that may tip off that the person may have some type of residency issue or discrepancy.” This public information can then be built into the front end of an application for identity proofing. “The state of Florida has implemented an identity vetting process before the citizen even applies for care,” Moore explains. “Vetting in this instance is done via a short quiz using questions like ‘Did you live at this address in 2001?’” As Moore explains, Florida has seen a noticeable drop in cases of benefits application fraud following the additional vetting measures, as fraudulent users – who more than likely don’t know the

explains Moore. “An agency employee checks to make sure that signatures match. That is how identity vetting has taken place for decades and continues today in many instances.” The proverbial monkey wrench, however, emerged with the electronic era. “It’s more efficient for government agencies to serve citizens via online applications, but that adds a big twist to identity vetting,” Moore says. The emergence of the Affordable Care Act – otherwise known as Obamacare – has greatly expedited the jump to online benefits applications. “The Affordable Care Act did something incredible, in that it incentivized health care in the U.S. – a $2.5 billion industry – to go digital,” says Moore. “It also incentivized health care providers to actually implement electronic health records, and it invested tens of millions

IT’S MORE EFFICIENT FOR GOVERNMENT AGENCIES TO SERVE CITIZENS VIA ONLINE APPLICATIONS, BUT THAT ADDS A BIG TWIST TO IDENTITY VETTING answers to those questions – simply go away. The same vetting process can be used when you apply for a driver license. “The DMV checks your driving record, which is public information,” says Moore. “Then the LexisNexis database immediately provides information that allows the DMV to properly identify the individual who claims a specific identity.” This stands in stark contrast to how state-level identity vetting has traditionally been conducted. “In-person vetting relies on a credential – driver license, passport, birth certificate, etc. – to determine that you are who you say you are,”

of dollars to build and digitally operate health insurance exchanges.” Identifying people electronically now becomes key to this new digital health care world, and as Moore explains, it’s just the beginning. “This just started. Imagine things in another five years,” says Moore. “Wouldn’t it be nice if your health information could be securely and efficiently shared?” For now, the online portal is ground zero for digital benefits applications, with the longer-term future likely to leverage predictive analytics to better safeguard applicants.

Summer 2014

“What we see for the future is the evolution of identity analytics,” she says. “For instance, you would be able to predict what type of fraudulent activity may occur with a particular application or service, as well what things fraudsters might try.” The key to knowledge based authentication technology is that it attempts to nip fraud in the bud. Typically fraud is identified through a tip on a hotline and an enforcement entity investigates and then prosecutes the fraud. Moore believes there is a better way. “Verify and authenticate the identity of an individual up front, and you can ensure that the fraud never occurs in the first place,” she says.

BUILDING BRIDGES IN MICHIGAN Equally involved in moving identities online safely and securely is the National Strategy for Trusted Identities in Cyberspace. NSTIC has doled out funding for a

created an online application for public benefits,” says Dave Akerly, director of communications for Michigan’s Department of Human Services. “The current process is manual and it can be time intensive, labor intensive and challenging for staff.” Efficiency isn’t just important to the state or federal employee in charge of processing the application – it is vital to the citizen as well. “From a client/ citizen standpoint, the current manual system can delay financial benefits or other services requiring identity proofing,” says Akerly. MI Bridges is set to provide a number of advantages for both state agencies and the citizens they serve. “They get anytime, anywhere access to apply for our various benefits programs and to check on their status – both with their case and their application,” explains Akerly. “It shortens the time our staff spends answering phone calls, and will cut down on the number of in-person visits.”

FOR EVERY DOLLAR SPENT ON THE FRAUD REDUCTION PORTION OF MICHIGAN’S MI BRIDGES PROGRAM, THE STATE HAS SAVED $25 number of trials, including two separate state government efforts to vet the identities of citizens online. In Michigan, MI Bridges – pronounced ‘My’ bridges – is seeking to provide citizens with an online portal from which they can access a range of benefits. The timing for the new system seems spot on. “We had growing caseloads here in Michigan at our local offices, so the Department of Human Services and the Department of Technology Management

Summer 2014

According to Akerly’s estimation, MI Bridges is handling 7,000 online applications per week. The system will act as the front door for Human Services, which processes more than $6 billion annually – a majority of which comes in the form of benefits assistance. “That money is taxpayer dollars that you want to be assured is going to those who are not only eligible, but are also the person who they claim to be. That idea makes this pilot very important,” says Akerly.

“About 20% of our benefit applications are coming online, making the identityvetting process more and more important,” explains Akerly. Akerly goes on to explain that MI Bridges takes a multi-layered approach to the identity vetting process. “Our initial, key eligibility determination is vetting the citizen so that we can then serve people by need, based on their identity. The identity proofing process is going to first validate that the citizen exists as an individual with a given name, address and date of birth,” he explains. “Then the user will be presented with a knowledge-based authentication quiz in a multiple choice format to provide the necessary identity authentication.” The knowledge-based identity quiz applies to things that only the citizen would know, not details that a stranger could pull out of another person’s wallet. This is where the likes of LexisNexis and other data aggregators provide assistance. “The likelihood is that only you will be able to answer these knowledge-based questions,” says Akerly. “We think the pilot has the potential to improve overall program integrity, prevent identity theft, and in so doing decrease our processing times for applications and lower administrative costs.” Residents can opt out of the knowledge-based aspect of the process, but doing so will likely extend the application process, Akerly says. Michigan’s pilot is designed to seek out those who try to game the system and assume someone else’s identity. It’s a practice that could also save money for the state and its residents that could otherwise have been lost to fraud. “We’ve found that it’s a lot easier to find out that someone is being untruthful up front and not award benefits, than it is to try to close something down later down the line when the state and federal government are already out a lot of

money and the chances to recoup are much lower,” says Akerly. The program seems to be paying off. For every dollar spent on the fraud reduction portion of the program, the state has saved $25, Akerly says. “It has been very good at rooting out identity fraud on the front end,” he adds.

KEYSTONE STATE, KEYSTONE ID Pennsylvania has been hard at work on its own NSTIC pilot that promises to create secure, trusted online identities for use across organizational and institutional boundaries, spanning both the public and private sectors. The program partnered with the Department of Public Welfare to make use of its service and citizen directory, says Erik Avakian, chief information security officer for the Commonwealth of Pennsylvania. “The Department of Public Welfare maintains a lot of data on a lot of people,” he says. Anybody can sign up for an account that gives residents basic access, but there’s no level of identity with that. “If they want to sign up for welfare benefits or other secure services, they have to provide a certain level of identity validation,” he explains. The resulting account, a Keystone ID, is a single point of access from which the citizen can attain commonwealth services. As Avakian explains, the Keystone ID can be used for numerous applications across the enterprise. The agencies that are currently participating in the Pennsylvania pilot are the Department of Public Welfare, the Office of Administration and the Department of Health. Avakian says there have also been talks with Pennsylvania’s Department of Education. Like most states, a primary challenge for Pennsylvania – and a reason for pursuing the NSTIC pilot – was the many,

different agency systems throughout the commonwealth. “For welfare, as an example, they would have to log in and create the account, answer the security questions and then be validated for only that application,” says Avakian. “If that same person wanted to get a fishing license they would then have to go to a different agency’s website and register for that separately.” Consolidation was the key for Avakian and his team. “Our goal is a single online identity for the commonwealth citizen for the purpose of conducting online transactions,” says Avakian. “We’re mov-

and private sector, and both sides would likely want to be able utilize that Keystone credential, explains Avakian. Avakian explains that the ultimate goal for the project is to determine how the Keystone ID will work across both public agencies and private entities like those in health care. He anticipates that the system will go live in the third quarter of 2014.

WHAT’S NEXT? At a rapid rate, health care and benefits applications are going digital, giving

PENN. IS MOVING TO A CONSOLIDATED DIRECTORY, AND ACCOMPANYING KEYSTONE ID, THAT LEAVES EACH CITIZEN WITH ONE ACCOUNT FROM WHICH THEY MANAGE THEIR VARIOUS SERVICES ing from multiple directories and applications to a consolidated directory, and accompanying Keystone ID, that leaves each citizen with one account from which they manage their various applications.” The Keystone ID is the common tie that enables residents to access benefits applications so interoperability is a necessity. “We needed an interoperable identity credential that enabled access to services from any of our state agencies, whether welfare, health information or employment compensation,” says Avakian. “You’re then reducing fraud and the potential of identity theft because you’ve got identity verification and identity proofing in one system.” While the new system will work with a wide range of state services, he sees particular promise in the health care sector. With health related information there is a strong crossover between the public

rise to a new host of identity challenges. With more people entering health care systems following the Affordable Care Act, the need to properly, effectively and efficiently vet an individual’s identity has become a vital concern. States are certain to continue down this path, offering federated high-assurance identities to citizens. While the process is beginning in the benefits arena, it is likely that the lessons learned and technologies deployed will one day extend across state services from Medicaid and unemployment all the way down to a fishing license. As the work being done by NSTIC pilot participants and data providers progresses, it will likely be the collaboration between the public and private sectors that will provide a safe, secure and interoperable online identity.

Summer 2014

HARDWARE SECURITY MODULES: THE GOLD STANDARD FOR ENCRYPTION KEY SECURITY MATT MCCARTHY, CONTRIBUTING EDITOR, AVISIAN PUBLISHING

One of the most infamous cyber attacks in history was the Stuxnet computer worm in 2010 that – among other things – caused a number of Iranian nuclear centrifuges to spin out of control and destroy themselves. The Stuxnet worm first targeted Microsoft Windows machines and networks before moving on to other software such as that used to program industrial control systems operating equipment such as centrifuges. This worm was able to evade auto-detection systems by presenting a digital certificate that seemed to indicate that it came from a trusted source. Exactly how the encryption key that was used to sign this certificate was compromised remains a mystery. But why it was vulnerable to compromise is clear: the key was stored in software. Had the encryption key been stored in

Summer 2014

a Hardware Security Module (HSM) instead of in software, the world might never have heard of Stuxnet.

THE NUTS AND BOLTS OF HSMS HSMs are secure, tamper-resistant pieces of hardware that store cryptographic keys and provision encryption, decryption, authentication and digital signing services. These modules traditionally come in the form of a plug-in card or an external device attached directly to a computer or network server. They are essential to manage and provide protection for transactions, identities and applications. Much of the HSMs value comes from the fact that they are hardware. “When a key is in software it can live in a million

places at once, it can be moved around and it is very hard to log and audit trust around its usage,” explains Mark Yakabuski, vice president of product management for Crypto Management at SafeNet Inc., a manufacturer of HSMs. An HSM generates a key in the hardware that never leaves, explains Yakabuski. This results in an extremely high level of trust in that key. “It gives you a trust anchor for different business applications that want to use the identity,” he adds. “Because that key never leaves the HSM, it is very easy to audit and track for compliance reasons. You know exactly who used it and when it’s been used.”

THE EVOLUTION OF HSMS HSMs first began to appear on the market about 25-years ago and have evolved

HARDWARE SECURITY MODULES ARE SECURE, TAMPER-RESISTANT PIECES OF HARDWARE THAT STORE CRYPTOGRAPHIC KEYS AND PROVISION ENCRYPTION, DECRYPTION, AUTHENTICATION AND DIGITAL SIGNING SERVICES

in stages. In the 1990s they were primarily PCMCIA and PCI Cards leveraged largely for SSL webserver protection and certificate authorities, the backend of a Public Key Infrastructure (PKI). PKI enables users of the Internet and other public networks to engage in secure communication and exchange data or even money through public and private cryptographic key pairs provided by a certificate authority. “The keys that they use to sign certificates are the keys to the kingdom for that infrastructure, especially when they’re at the root,” explains Mark Joynes, director of product management for Entrust PKI, Government and National ID Solutions. “They need to be secured so that they can’t be used by entities that aren’t authorized for their use. Since the inception

of PKI, HSMs have been the best practice for the storage of those keys.” With the proliferation of the Internet and an expanding demand for secure communications in data and money transfers, the next step in the HSM evolution was to put them in appliance form so that they could be shared. “They were networked and could be connected to by many different users and applications that wanted to leverage the trust anchor,” Yakabuski says. “By 2000 HSMs had the early stages of multi-tenancy built into them.” Today, the use of HSMs is exploding. “One of the great reference cases for our HSM usage is in the financial sector,” Yakabuski says. “We have thousands of HSMs deployed for financial communication settlements between thousands of cooperating banks. It’s multiple tril-

lions of dollars a day. Those identities are protected, that bank’s identity is protected and the customers’ identities are protected inside our HSM.” Joynes points to the latest deployment of HSMs in the border control systems in the European Union as an example of how the use of the hardware is expanding. Since PKI is an integral technology for the security and verification infrastructure of ePassports, the need for the trust anchor HSMs provide is growing. “There are private keys held at the inspection system,” explains Joynes. “The most recent standards see implementation of HSMs at those border control systems and that’s new. Previously the standards had called for them to be required only at the center. So in some environments we see increasing use as

Summer 2014

HARDWARE SECURITY MODULES ARE AS CLOSE TO FAILSAFE AS YOU CAN GET

different risks are better understood and where they recognize the need for stronger security.”

THE NEXT GENERATION HSMS The next generation HSM is extending the benefits of the hardware to the cloud environment. “Software virtualization has some tremendous benefits of scale – the ability to scale up and scale down, as well as the ability to be very flexible and portable,” explains Yakabuski. “So we took the hardware security module and built an abstraction layer on top of it that would enable you to use the HSM like you use a hypervisor.” A hypervisor enables physical devices to share their resources across virtual machines running as guests on top

Summer 2014

of that physical hardware. “You can stand it up as a service and then provision that service out to consuming parties in a cloud manner,” says Yakabuski. Regardless of the type, Yakabuski and Joynes agree that the demand for HSMs will continue to rise. “As a general rule I think we – and systems in general – need to take a higher assurance approach to the security of private keying material,” says Joynes. “There is no doubt the threats that are arrayed against these systems are far greater and far more organized than ever before.” “It’s an industry, in terms of the threat to these systems. If a key is stored in software and someone really wants it they will get it,” explains Joynes. “HSMs are as close to failsafe as you can get. These things are tested to the highest levels and people look to them to be the end game.”

OAK RIDGE NATIONAL LABS DEPLOYS COMBINATION PIV, CIV SMART CARD ECOSYSTEM LARGE DEPLOYMENT INCLUDES 260 OPERATING BUILDINGS, STAFF OF 9,000 Oak Ridge National Laboratory, a technology research facility for the U.S. Department of Energy, is deploying a mix of PIV and CIV credentials throughout its Tennessee facilities. The new smart card credentials will be used for physical and logical access, says John Watson, group manager for the Laboratory Protection Division System at Oak Ridge. The lab went with the PIV smart cards for those employees who travel and need to use the credentials for access to other facilities, while CIV credentials will be for those who are just using the cards on site. The CIV credentials were less expensive than the PIV, Watson says. “You have to look at the risk and the most cost efficient way to do business and save the government money,” he explains. “If you look at the cost of PIV versus CIV, it’s a substantial savings, and if you have 4,500 people who don’t travel or visit other sites you have to look at ways to save.”

The employees issued CIV credentials still undergo a background check, but it’s not the same as the one undergone by those 3,500 employees receiving PIV credentials, Watson says. The CIV credentials have one other difference from the PIV credentials, a proximity chip. Employees preferred the performance of the proximity technology – that reacts quickly when held within a few inches of a reader – to the performance of the contactless smart cards that require a more purposeful tap-and-hold presentation, Watson says. To facilitate the use of both technologies, the lab’s 1,400 entry points were outfitted with multi-tech readers that read both contactless smart cards and prox, Watson says. The lab will also be rolling out logical access using the credentials. PIV cardholders will use those certificates to gain access to controlled information systems, to digitally sign documents

and encrypt emails, says Thomas Flynn, vice president for Identity and Access at Gemalto North America. Gemalto is seeing enterprises that are associated with confidential government research and development and critical infrastructure, such as Oak Ridge, shore up security with PIV solutions, Flynn explains. Although FIPS 201 and PIV aren’t mandated for these organizations, the work they are doing in the federal space is necessitating it. Utility companies also are starting to deploy FIPS 201-specified PIV card systems for physical and logical access, says Flynn. For the deployment at Oak Ridge, Gemalto collaborated with Charismathics for logical access and Quantum Secure for physical access. This all-in-one offer gives Oak Ridge a layered protection that reduces potential security breaches while safeguarding employee identities.

Summer 2014

OPENID EYES TOP SPOT IN ONLINE IDENTITY

NEWLY STANDARDIZED USER AUTHENTICATION APPROACH SUPPORTED BY TECH GIANTS

Identity standards aren’t sexy. Biometrics, encryption apps and systems that enable high-assurance authentication get the bulk of the attention, but the standards that make these technologies work across the Internet are critical, even if they seem a bit dull. OpenID is one of these underlying technologies and the latest version of the standard – OpenID Connect – has been ratified as an official standard by the OpenID Foundation members. Internet and mobile companies have implemented OpenID Connect worldwide, including Google, Microsoft, Deutsche Telekom, Salesforce, Ping Identity, Nomura Research Institute, leading mobile network operators and more. The standard is being built into commercial products and implemented in opensource libraries for global deployments. The team that helped create OpenID Connect is one composed of rivals. Google, Microsoft and others, all competitors working to solve the digital identity problem, says Don Thibeau, executive director of the OpenID Foundation. The carriers are also on board with the GSMA and its 650 mobile network operators endorsing OpenID Connect.

Summer 2014

The basic idea behind the standard is interoperability. “Interoperability is at the heart of a more secure, privacy protecting, user centric Internet,” Thibeau says.

HOW IT WORKS From the consumer perspective, OpenID Connect may not look much different than other federated identity systems. “If you have an account that supports OpenID Connect it can be used to sign you in to other places,” says Mike Jones, director of Identity Partnerships at Microsoft. A consumer would login to an identity provider – social networking, ecommerce or other type of site that uses OpenID Connect – and then be able to use that identity elsewhere. But before giving up any personal information to the other site, OpenID Connect ensures the consumer knows what information they are giving up. “The identity provider knows that you’re being asked to give up certain information to the relying party and it will ask if you’re ok, similar to installing a new app,” Jones explains.

At its core OpenID Connect is designed to exchange identity messages over a range of use cases, Jones says. Sitting at a workstation, using a mobile device, accessing information from the cloud or a secure network, Open ID connect will work the same way. The standard is also focused on privacy. While it can be used for access to multiple sites, the same identifier isn’t used across all the sites, Jones says. “If I’m logging into a site, it might know me as a certain number but at another site I will be another number,” he explains. The spec can also scale across assurance levels, enabling different levels of assurance depending on the site, Jones says. Despite just being ratified, OpenID Connect has been in use for some time. Google has OpenID Connect embedded into Android, says Tim Bray, former Google identity guru and co-founder of the XML specification. “On Android we have built in an API so than an app can make an inquiry and get an identity token,” he explains. “It sends it to the backend system as a way to say ‘yes,’ this message was sent form someone with an identity.”

All of this can be done on a mobile device without a user having to keep reentering user names and passwords. “OpenID Connect gives you easy access to use cryptographic assertions that say this person was authenticated and wanted to share that information with the app,” Bray says. “Once the app has that assertion you can do anything with it.” While Google has deployed OpenID Connect on Android, Deutsche Telekom is rolling it out for its Internet subscribers, says Torsten Lodderstedt, senior product owner for identity management at Deutsche Telekom. Germany’s second largest email provider wants to be an identity provider and is using OpenID Connect as the backbone. Deutsche Telekom introduced OpenID Connect in mid-2013 and integrated it with PATH, a social networking site. The telecom giant is also working to enable customers to use the Deutsche Telekom ID on other sites as well. The Massachusetts Institute of Technology had also rolled out OpenID Connect and is exploring many potential uses of the standard. The school has a long history with authentication technology, having developed the Kerberos protocol in the 1980s that was the engine for Microsoft Windows 2000, says Thomas Hardjono, technical lead and executive director at MIT’s Kerberos Consortium. The consortium was originally founded to do upkeep on the Kerberos code but has since refocused to look at personal data and emerging standards in identity management. OpenID Connect caught the eye of the consortium, and the group started testing the standard. It plans to roll it out for use on the MIT mobile app, Hardjono says. “We want to use OpenID Connect as the authentication mechanism for non-critical apps,” he says. The MIT app enables students to access different services that aren’t necessarily the most secure but still require a credential to access, for example information about laundry machine availability, student dining and other data sources, Hardjono explains.

Wither SAML? When it comes to online identity standards, SAML is like the college student who has taken his time getting his undergrad degree. He’s been around for a while and isn’t going anywhere. And while OpenID Connect has just been ratified, it isn’t exactly the freshman attending the first day of classes. The standard has numerous worldwide deployments under its belt with more in the works. OpenID Connect enables enterprises to improve efficiency and security but SAML isn’t going anywhere, says John Bradley, senior technical architect at Ping Identity. “There are a lot of niche use cases,” he adds. “Certain SAML assertions will be around for a long time for Web SSO profiles.” The other problem is that SAML is a huge specification and people pick and choose which portions they use, Bradley says. “SAML ended up being a scheme that explained how you did everything – so people just picked a subset of features because the whole thing was too complicated,” he explains. OpenID Connect offers a clean sheet of paper for those wanting something new and different, but as it stands, SAML looks certain to extend its stay.

Long term, MIT wants to use the system with single sign-on and federation for access to services outside of the school, Hardjono explains. At first it might be something as simple as enabling transcripts to be sent to an employer but eventually it could be more. “The MIT email address stays with them for life,” he says. “A bigger version of it might be for MIT to become an ID provider.”

DEVELOPER FRIENDLY OpenID 2.0 – the previous version before Connect – was widely used as well, but Connect is more developer friendly, Bray says. “There was some pain around interoperability,” he says. Connect, then, is designed to be easier to work with for web developers. Deutsche Telekom has had an easier time integrating apps with OpenID Connect than OpenID 2.0. “It supports all integrations from OAuth and that wasn’t possible before,” Lodderstedt says. OAuth 2.0 defines consistent, flexible authentication, authorization and policy architecture for Web servers, mobile applications and devices attempting to communicate with Cloud APIs.

OpenID Connect builds on the foundation of open identity and security standards like OAuth 2.0 and TLS – also known as SSL or “https.” As a result, it has the advantage of being easier for developers to implement and deploy than other identity protocols, enabling simpler deployments without sacrificing security. “It enables us to consolidate a bunch of things,” says John Bradley, senior technical architect at Ping Identity. “People can’t reasonably have every relying web site enabled, it’s really hard to maintain that and build it.” OpenID Connect can enable an enterprise to get rid of proprietary single signon solutions, Bradley says. Previously, in order to do large-scale federation across web sites controlled by different enterprises, organization’s had to have single sign-on running inside the data center along with SAML which created a complicated system. “With Connect you can harmonize a complicated architecture and use it between data centers,” he adds. When it comes right down to it, OpenID Connect aims to make online identity easier. With the impressive array of supporting organizations, it is likely to succeed.

Summer 2014

866965

TWO-FACTOR AUTHENTICATION KEY TO SECURING CLOUD THOMAS FLYNN, VICE PRESIDENT OF GEMALTO IDENTITY AND ACCESS IN NORTH AMERICA

It’s been six years since the notable cloud service breach at Salesforce.com, when an employee surrendered a password in a phishing attack against the company. As a result, hackers were able to obtain the details of thousands of Salesforce customers, and then target them with a series of phishing emails that appeared to be from the company. At the time, Salesforce told its customers to “consider using two-factor authentication.” Fast forward to today and cloud security issues continue to persist. In October, hackers managed to get past the security of Adobe’s Creative Cloud and its Revel photo sharing service to obtain Adobe customer IDs and encrypted passwords. If Adobe customers were using

How it works:

two-factor authentication, they would have been safe because the compromised passwords would have been useless without the second authenticator. Whether you are providing and/or accessing a public, private or hybrid cloud, twofactor authentication is criti-

cal. Yet today, the majority of enterprises using multiple cloud services still choose convenience over security. This is primarily due to an outdated perception that implementing strong authentication is complicated, costly, hard to get management approval for, difficult to deploy and inconvenient for users. Today, the evolution of cloud services has toppled many of these barriers. Security has become a C-level issue as the high costs of data breaches and the potentially higher cost of damaged brand reputations

has been highly publicized. Recent advances in networking software architectures and administrative tools have lowered cost, time and expertise required to implement strong authentication to control access to cloud services.

STRONG, AFFORDABLE SOLUTIONS FOR OTP Cloud Service Providers that want to get on the fast track to strong authentication should start by considering one-time password access controls. One-time password solutions

OTP-based strong authentication for cloud computing

1. Local or remote user is

866965

prompted to create a one-time password (OTP) for authentication to cloud services.

User creates an OTP by pushing a button on the OTP device, or by using a mobile application to generate the OTP.

Summer 2014

increase the security of the login process by ensuring the person accessing the network is in possession of two factors of identity verification – something they have, the OTP device, and something they know, a username and potentially a password. OTP generators come in different form factors, such as handheld hardware tokens, display cards, SMS and mobile applications. All are effective ways to implement strong authentication, and they exemplify how different solutions can serve different needs. An OTP token can easily be attached to a lanyard or keychain and a display card can be carried in a wallet. Both provide a cost effective second layer of authentication without being cumbersome. Mobile text messaging and mobile apps are even less expensive ways to provide OTPs, especially with Bring

Your Own Device becoming the norm. Today’s business associate is typically never without a mobile device, be it a smart phone or tablet. Using these mobile devices as the OTP token saves money and reduces complexity. There are two ways to use mobile devices for OTP authentication: SMS. This enables the user to request an OTP when logging in to a specific resource. The user receives a text message from the network based on the mobile number on file with the company. This provides the same level of strong authentication but without the need to deploy any additional hardware. Smartphone App. With the explosion of app stores, OTP apps have been introduced that work on all leading smart phone operating systems. When a user is required to enter an OTP for strong authen-

tication, they simply launch the app which generates an OTP. This, again, eliminates the need for an additional hardware device, making this method both user-friendly and cost effective. Another important advantage of using the mobile device as your OTP token is the ability to download and self-provision the application. Enterprises can outsource the operation of the authentication server to a solution provider or bring the technology in house via on-premise hosting. Organizations can deploy across a variety of handsets and mobile operating environments. For companies researching OTP solutions, it is important to consider choosing a solution that complies with the current Open Authentication Organization (OATH) standards. These industry-wide standards for authentication can help reduce costs and

bypass the inconveniences of propriety solutions. Cloud computing is not a passing trend. Forrester forecasts the global market for cloud computing will grow to more than $241 billion in 2020, and CDW’s 2013 “State of the Cloud Report” said 75% of business reported using some type of cloud platform. Both the cloud and the smart mobile device have brought enterprises into a new era for productivity, efficiency and convenience – but sometimes at the expense of security. If they are to fully realize the potential of the cloud, Cloud Service Providers must offer stronger methods of authentication. It is easier and more cost effective than ever before, and can be as simple as utilizing the devices we all know and carry – our smart phones – as the something “we have” when logging into a cloud service.

OTP: Form Factor Options

The OTP appears on the device screen or mobile phone, and the user enters it along with his username.

§ OTP token: A thumb-sized device that produces a new OTP at the push of a button. § Card token: Same functionality as the OTP thumb token, but in a credit card sized device. § Mobile Text Message/SMS OTP: The OTP is sent to the user via text message.

The cloud service verifies the username and OTP and the user is securelyauthenticated to the cloud service.

§ Mobile OTP: Rather than receiving a text message, the user would request the OTP by opening an application on their mobile device. § Dual OTP/PKI: This method would require the user to use any of the previously mentioned OTP methods, but the chip embedded in the device (OTP token or mobile device) would be programmed to take the extra step and use digital certificates/PKI.

Summer 2014

TODAY’S CONTACTLESS CARDS DO MORE THAN JUST OPEN DOORS REAL-WORLD DEPLOYMENTS REVEAL RANGE OF SECURE SERVICES RAINER LUTZ, SENIOR GLOBAL MARKETING MANAGER ACCESS MANAGEMENT, NXP SEMICONDUCTOR

What do college students, business travelers, sports enthusiasts and visitors of theme parks have in common? They’re all using contactless smart cards to do more than just open doors. In fact, they’re using multi-application smart cards to make purchases, personalize their experiences and access loyalty programs. Smart cards have become the chameleons of the ID world, adapting to new applications and providing new levels of service, security and flexibility. A quick look at some real-world use cases – two universities, a hotel, a sports arena and two theme parks – gives proof that contactless technologies have moved well beyond physical access control to become cross-market powerhouses.

CAMPUS CARDS: VILLANOVA UNIVERSITY & THE UNIVERSITY OF SAN FRANCISCO More than 1,500 universities are using contactless smart cards, based on NXP’s MIFARE ICs, to provide a range of services. Two such examples are Villanova University, near Philadelphia, and the University of San Francisco. Both have well-established smart card programs that combine building access with pay-

ment services using technology from The CBORD Group and Allegion. Now, both institutions are moving to extend their conventional, card-based systems to a mobile service that uses near field communication. A key point about MIFARE is that NFC technology works with it right out of the box. Any pre-installed MIFARE readers communicate with NFC-enabled phones the same way they do with a MIFARE smart card. To verify this and test the transition to NFC-based services, Villanova and the University of San Francisco ran similar pilots. They used a hardware sleeve, provided by Wireless Dynamics, to convert a non-NFC equipped iPhone into an NFC-capable device. Pilot participants launched an app that was provisioned with a cloud-based credential and then, with the credential securely in place, tapped the phone against a reader. At both schools, the majority of participants preferred using their phone instead of a badge and found that the NFC-based approach was both convenient and secure. Moving card-based services onto a mobile device gives students one less thing to carry – or forget – and adds the option of a display interface for more advanced interactions. Over-the-air pro-

visioning and management of digital keys simplifies the administration of access control, since students can be authorized access privileges without making a special trip to campus or waiting in long registration lines. Students are also drawn to the use of new technology, which can benefit a school when it comes attracting the best talent. In general, educational institutions can use contactless technologies to support more than 20 applications in four categories: Secure ID: time and attendance, educational services, exam registration, logical access to PCs and online courses, etc. Access management: residences, dining halls, classrooms, IT centers, gyms, performing-arts centers, libraries, etc. Cashless micropayment: meal plans, vending machines, print services, laundry, books, parking, etc. Mobility services: public transportation, car sharing, bike rentals, etc. The result is a safe, essentially cashfree campus that lets students, teachers and staff focus on the work at hand.

Summer 2014

BOUTIQUE HOTEL: MARRIOTT BROOKLYN FAIRFIELD In recent years, Brooklyn has earned a reputation for being one of the trendiest boroughs in New York, rivalling Manhattan for gourmet eateries, one-of-akind shopping and special places to stay. The Marriott Brooklyn Fairfield – a boutique hotel with 133 rooms – installed a MIFARE-based access system, supported by a software platform to give guests an added level of convenience and security. The locking hardware is small and sleek, fitting right into the hotel’s modern style, and is easier to use than bulky locks that use traditional keys or magnetic cards. Hotel guests don’t have to fumble with a traditional key, and don’t have to worry about a magnetic card being accidently deactivated by their smart phone. The supporting software system lets hotel staff assign and revoke pass privileges from a central computer and makes it possible to view the previous 600 access attempts on any given hotel lock so activity can be verified if there is a guest dispute. Contactless smart cards can help on a larger scale, too. Global hotel corporations like Marriott, Hilton, Intercontinental and Hyatt have properties all over the world and need to manage access to millions of rooms in dozens of countries. They also have loyalty programs with millions of members. Contactless technology can support members with services that keep them coming back. For example, members

Summer 2014

might launch a booking app on their NFC smart phone with a tap from the company’s smart loyalty card. Location-based guidance could help find the closest property, and over-the-air provisioning could deliver a room key and parking access, eliminating the need to wait in line for check in. Once they arrive at the hotel, members could then use their smart phone or their loyalty card to gain special access to the gym or spa, pay for minibar items or purchase a meal in the restaurant. Every transaction can earn loyalty points, and points can be redeemed onsite at any time.

SPORTS ARENA: WASHINGTON NATIONALS BASEBALL Baseball is America’s national pastime, so it seems fitting that the Washington Nationals – the major-league baseball team for the nation’s capital – use an advanced smart card scheme. Season ticket holders receive the “Ultimate Ballpark Access” card, a MIFARE-based smart card that is a ticket, a loyalty card and a payment card all rolled into one. Cardholders have quick, contactless access to the venue, so there’s less waiting at the gate. Moments after entering the park, they receive a welcome message via email or text, along with an offer for a free hot dog. They get a 15% discount at the team store, and can use the Access card for payment as well. Cardholders also get special treatment at concession stands. They can use dedicated eCash lines, where smart

card transactions are processed many times faster than in traditional cash or credit lines. Overall, the scheme enables a closer relationship between the team and its fans.

THEME PARK: TRANS STUDIO WORLD Indonesia is now home to two of the world’s largest indoor theme parks, Trans Studio Bandung and Trans Studio Makassar. The two locations attract large crowds on a daily basis, and use smart cards – based on MIFARE DESFire – for entry tickets, on-site shopping and payment of road tolls and parking fees. Visitors to the parks conduct transactions faster, with higher security and fewer chances for fraud or human error. The card system also provides park operators with valuable insights into customer behavior and preferences, making it possible to develop more customer-oriented programs. The positive experience extends beyond the park, too, as visitors can use the cards to make purchases at retail outlets in the surrounding area.

MINIATURE CITIES All the places described in this article – universities, resorts, stadiums, theme parks – are essentially cities in miniature, with unique populations and a specific set of requirements. In each case, contactless smart cards are making the people who spend time in these microcities feel more secure, more appreciated and more at home.

MACAO GOES CONTACLESS FOR CITIZEN IDS REGION REPLACES CONTACT CHIP CARDS TO INCREASE SPEED, DURABILITY GINA JORDAN, CONTRIBUTING EDITOR, AVISIAN PUBLISHING

Residents in a region of China are going contactless to prove their identities. About 640,000 residents of the Macao Special Administrative Region of the People’s Republic of China are making the transition from contact-based smart cards to contactless. Software company Bell ID launched the Macao identity project in 2002. The card application management solution enables the government to enroll residents, issue identity cards and manage them. “The initial project was done with the contact chip cards using java,” says Erik Wellen, general manager at Bell ID for the Middle East. Wellen has been involved with the Macao identity project since its inception. “Roughly two or three years ago the government asked about using contactless cards,” he says. Bell ID began upgrading the infrastructure last year and completed the work in March. That’s when the Macao government began issuing contactless cards alongside the contact-based cards. As the contact cards expire at the end of a ten-year life span, they’ll be replaced with their new contactless counterparts. “From a lifecycle perspective, the residents will go to what we call the issuance and enrollment station, and they will enroll themselves,” Wellen says. “Their basic information is already in the database, which comes from the central registry.” The system will add the photo, fingerprint, and other information as needed. The data is then verified, processed and sent to the card personalization system. The cardholders will continue to conduct business just as they did with the contact cards. Wellen says users can go to self-service kiosks to access typical government services for everything from kindergarten registration to criminal record checks to passport applications. Users can also make a quick trip through the Macao Automated Passenger Clearance System. This border control system allows the residents to enter and exit Macao without showing their passport. They simply flash their contactless ID card and provide their fingerprint. Wellen offers three major reasons why the Macao government embarked on the change to contactless. Security. New security features have been incorporated into the contactless identity card. It’s a more advanced cryptographic solution than the original one that was introduced in 2002.

Speed. “If you are on the border between Macao and Hong Kong getting on a ferry, obviously there’s a lot of people that have to go through and board,” Wellen says. “If you can just swipe the card in front of the terminal, that makes it much faster. The reading time per card has been reduced by roughly two seconds.” That’s a lot of time saved when hundreds of people are boarding. Lifespan. Wellen says chips can detach from contact-based cards and experience other difficulties. In a contactless card, “you don’t have a problem because the antenna is embedded much better into the plastic.” Bell ID, headquartered in Rotterdam, The Netherlands, supplies token management software that helps customers manage smart cards and handle cryptographic key management. The company started in the early 90’s looking into identity cards and the use of fingerprints for the Dutch government. Those projects included a system for asylum seekers in The Netherlands using smart cards and biometrics. Then, the company developed its card application management system that enabled customers to issue, manage and track smart cards throughout their life cycles.

Summer 2014

CO H U H AVE LD EA C M RT LOTULT BL TEDI-FA EE CTO

E US

TS G C TE IN O ST R P ’S R UG O CT H B A -F T O MO TW AM M

Heartbleed explained Heartbleed was a bug – that has since been fixed – in the OpenSSL software used on web servers worldwide. OpenSSL encrypts data sent from the server to web visitors. It includes a feature called a heartbeat, which sends some data back to the visitor’s browser to let it know the site is ready and waiting for requests. In normal operation, the heartbeat sends the same amount of data that the browser received, like an echo. But the Heartbleed bug added a vulnerability that enabled a hacker to request more data to be returned in the heartbeat – up to 65,536 bytes from the server’s memory block. What was included in the returned heartbeat data varied from server to server and session to session, but since it is simply grabbed from the server’s memory, it may have included elements a hacker could use such as usernames and passwords from recent visitors.

Summer 2014

A programming gaffe in OpenSSL may well be the worst security malfunction in Internet history. A quiet misstep in the coding of the OpenSSL heartbeat extension made encrypted data open to exploitation by hackers. Anyone can contribute to the open-source OpenSSL project, and a German computer programmer voluntarily working on the code says he accidentally added the vulnerability. Security engineers at Codenomicon and a researcher at Google Security stumbled upon the Heartbleed bug, sending hundreds of thousands of websites scrambling to plug the privacy leak. The flaw was born in December of 2011. The impacted version of OpenSSL was released a few months later, but it wasn’t until April of 2014 that the world found out about it. While the private version of SSL is sold to companies, the open-source version is free and used by the majority of web services to encrypt traffic. “It showed that the underlying security of roughly half the sites on the Internet was broken,” says Joe Siegrist, CEO of the identity access management provider LastPass. “Not only was the security of the transport broken but data was potentially leaking from those affected sites.” Heartbleed impacts a fundamental security layer of the Internet that creates a safe path between a user and a web service. Thanks to Heartbleed, many sites presumed to have a secure connection because they display “https” in their URL haven’t been safe for the past two years. Passwords and other data could have been openly accessed and the thieves likely would have gone undetected.

HEARTBLEED DEMONSTRATED THAT EVERYTHING WE THOUGHT WAS SECRET ON THE INTERNET IS, IN FACT, NOT SECRET Codenomicon quickly launched heartbleed.com to answer the public’s questions and supply updates about the bug, which Siegrist calls “mammoth.” He says it was scary enough that a lot of companies reacted leisurely to Heartbleed, but it should really wake up consumers who use the same password for multiple sites. “It’s like reusing the same key for every lock and then taking a picture of that key and posting it on the Internet so that anybody can make a copy of it,” Siegrist says. “I’m hoping the lesson learned out of this is that you need to be using a password manager.” The widespread scope of the bug may lead to greater use of multi-factor authentication, although Siegrist doubts it’ll be built into an abundance of sites going forward. “I think multi factor is critical for your password manager and potentially your email as well.” But Siegrist says multi-factor authenication is tough on both the providers and the users. “I see a lot more value in federating identity with somebody that is doing multi factor for the end user,” Siegrist says. “So you have a high degree of confidence that they are who they say they are without subjecting them to your own multi-factor.”

WHY DID IT TAKE TWO YEARS? “The Heartbleed breach has demonstrated that everything we thought was secret on the Internet is, in fact, not secret,” says Andre Boysen, executive vice president of marketing at identity provider SecureKey. “Heartbleed has lifted the veil on the security model of the Internet, and there’s been a collective gasp of disbelief.” It became clear that bugs aren’t more likely to be exposed just because open source software falls under public scrutiny. Boysen thinks the problem wasn’t discovered right away because it can be difficult to see the consequences of how software interacts. Plus, other elements may have been compensating to help keep information private. “The entire Internet is anchored in secret user ID’s and passwords,” Boysen adds. “What we’re seeing is that’s an utterly inadequate way to secure all of the private information that needs to travel over the Internet.” Boysen explains that the bug shows how easy it is to copy passwords and leave no trace of the breach. There is no way to know how many thieves found the vulnerability and took advantage of it. “All of us have seen how the sausage factory that is the Internet of security works, and it’s actually scary,” Boysen says. “We’ve got to move beyond secrets on the Internet.” He thinks Heartbleed is going to galvanize the industry to make user access easier and stronger. That includes a renewed

push toward multi-factor on the Internet and on devices that users commonly carry. “So many users actually copy IDs and passwords across sites because that’s the only way they can manage,” says Boysen, who admits to having 300 user IDs and passwords. “But I am not going to configure 300 sites to use multi-factor authentication. That is a pain I would much rather not endure.” For the ten services he frequents most, Boysen says he’d be willing to use multi-factor but the rest need to find a way to participate in a shared multi-factor scheme. He says if multi-factor had been in place for more web services, the impact of Heartbleed would have been significantly curtailed. Private information would still have leaked out, but access to many accounts would have been harder to compromise. Before any big change can happen, multi-factor has to overcome two problems. “One is that it’s a burden to the users,” Boysen explains. “The second is that the problem for me, the user, is that I don’t know who I’m giving this one-time password code to. So if there’s a man in the middle, an attack can be mounted.” Boysen believes all web services should deploy multi-factor, either directly or with a partner, and they can do it in a way that avoids hassles for the users. SecureKey envisions a future where Internet security operates the way credit cards do. “I can take a single payment card, like a Visa card, and I can go to any merchant on the planet without any prior relationship and I can buy goods at that web service. By contrast, everywhere I go on the Internet, they say ‘here’s your user ID and password,’” Boysen says. “I am not going to download 300 multi-factor apps on my phone. So we think web service is going to be more like payments, where I’m going to choose my trusted provider.” The provider would help users reach all of their online destinations. “Like with my real wallet, if I want three credit cards, I can have three different providers to segregate my life if I want to do that. If you want to have eight, you can have eight,” Boysen adds. “We think that’s the way this model is going to merge to make multi-factor access easier for users and more trustworthy for web services without having to put multi-factor on every service on the Internet.” A repaired version of OpenSSL has been released in the time since Heartbleed. Developers can also recompile the flawed version and remove the heartbeat extension.

Summer 2014

DEFINING PHYSICAL ACCESS CONTROL STANDARDS KEY QUALITIES TO LOOK FOR IN EMERGING SPECS TERRY GOLD, FOUNDER, IDANALYST LLC

I engage in a variety of conversations with manufacturers, integrators and end users in the physical access control space about systems that must live for a decade or two. Traditionally, technology decisions have been made with heavy influence from existing relationships, cost sensitivity and feature sets from the perspective of those that will operate these systems. But for end users conducting long term strategic planning that conversation is changing, and part of this new conversation surrounds physical access standards. Physical security professionals have to make decisions that serve the overall organization rather than a closed group. Their decisions are being driven by the need to offer value and become more than just a corporate cost center. Physical access control systems need to reduce risk and cost, increase efficiency and add value. They also need to collect better intelligence and enable collaboration with other departments for improved incident response and remediation. These requirements aren’t unique to physical access, as they reflect a common maturity cycle for organizations mandated to increase profitability. In turn these pressures place demands on vendors to design products that enable this goal.

THE LEGACY CHALLENGE Years of regional decision-making and acquisitions have led to a collection of disparate physical access control systems. The physical security industry has an uneven record when it comes to driving interoperability with the implementation of standards, which has resulted in silos of infrastructure. Traditional approaches to dealing with this have been limited – forcing organizations to “rip and replace” silos with yet another proprietary technology from a single vendor. But this isn’t sustainable. It

Summer 2014

requires end users to be highly dependent, if not “locked-in,” for the lifespan of the investment, a commitment that cultivates the same long-term dependencies, limits adoption of competing innovation, results in uncompetitive pricing and reduces pressure on the incumbent vendor to innovate. IT has been working under the same set of drivers for more than a decade and the solutions available to them are much more advanced. The bottom line is that IT is far ahead of the physical access control side and pressure to align with them means playing catch-up by taking a page from their playbook. This is why standards are the key ingredient.

WHAT STANDARDS CAN BRING TO THE TABLE Think of standards like Bluetooth headsets. As a consumer, I really don’t want to purchase a specific Bluetooth headset that only works with my handset model. Rather, I prefer to just know that anything called Bluetooth works with other devices that use Bluetooth. I can select from a range of vendors offering a variety of features, price, quality, performance and design. If I need to get another phone, my previous investment will still work and the same benefits will remain even when paired with a phone from another manufacturer. Physical access infrastructure should work in a similar manner.

SHADES OF GRAY In physical access, standards are still the subject of confusion. What constitutes a standard? It’s a topic with room for variance of opinion and shades of gray. Books can – and have – been written on the topic in an attempt to clarify. There are, however, some universally accepted principles that can guide one to reach their own

conclusion when assessing if something is a standard or not. Standards are always specifications, but not all specifications are standards. Think of a specification like a blueprint explaining “how” to build or execute. And then look at a standard as a common agreement for that particular blueprint. There are different paths that standards can take from birth to maturity. Typically they start out as common groups getting together to solve a problem, defining a charter and working on an initial specification. From here, it starts to get fuzzy. In general, they define processes for reasonably inclusive participation, neutrality in competing interests and control, appeals processes and common agreement.

THE MEASURE OF ‘OPEN’ Standards typically contain a defined set of specifications that govern data formats, protocols and interfaces. Thus, if any one vendor solely controls any one of these, it fosters many of the problems that we spent years trying to remediate. Single-vendor control limits choices and the ability to execute not only interoperability, but also the type of functions and services one can interface. At best, a “toll” is paid to that vendor for very specific and often limited use. Openness is important as it can be used constructively to determine how benevolent a standard really is. In determining how open a standard really is, one should ask several questions: What is the process by which the standard was created? Who maintains it after the initial version? Is there a commitment to backward compatibility for early and subsequent adopters? Is it extensible? If so, does it impact compliance?

Are the specifications reasonably accessible? Is it too restrictive to achieve desired goals? From my own perspective, I lean toward those standards that are more transparent in their mission and process. I also look at those that are democratic and engage a broader community, are less restrictive to access, and that implement, extend and reuse in a manner that is free of encumbrances.

PROGRESS The good news is that there has been a great deal of focus and progress in this area over the past few years, bringing tangible results. Not intended to be a complete list, here are just a few examples that illustrate

monize interoperability between network video vendors for the benefit of end users and integrators implementing the devices. It is a good example of an open approach in governance and leveraging existing IT standards, such as Web Services, as opposed to reinventing something new and obscure.

principles. OPACITY has the edge for adoption in the U.S. given its approach in alignment with existing U.S. government specifications and registration with ISO as an authentication protocol. It is currently under review by ANSI (American National Standards Institute) for standards adoption.

PSIA (Physical Security Interoperability Alliance) is focused more broadly on interoperability across various IP-enabled devices to achieve plug-and-play functionality and, in turn, enable a variety of services to be shared for greater actionable intelligence.

THERE IS STILL A CHOICE

PIV (Personal Identity Verification) is an initiative on the Identity and credentialing front, created by and for the U.S. government. PIV filled a void particularly in the

LOOK FOR STANDARDS THAT ARE TRANSPARENT IN MISSION, ENGAGE A BROAD COMMUNITY, AND IMPLEMENT, EXTEND AND REUSE IN A MANNER FREE OF ENCUMBRANCES cooperation and execution across a subset of the physical access community. OSDP (Open Supervised Device Protocol) is a specification that addresses key limitations of the legacy Wiegand communication protocol that defines data transfer between access control readers and systems. Using serial RS-485 cabling, it enables readers to communicate bi-directionally with a control panel. Where it was a laborious process to update firmware and settings locally at each door, it will be possible to do so centrally and remotely, as well as push out useful notifications, among other things. It also leverages Global Platform’s Secure Channel Protocol, a widely accepted secure communications method in smart cards for everything from readers to controllers, making up for where Wiegand increasingly falls short. It will also be extensible to allow transport over TCP/IP so it’s both backward compatible and forward capable. ONVIF (Open Network Video Interface Forum) was started back in 2008 to har-

smart card market where standards for interoperability had long been a barrier to adoption and maintenance. It also enabled a path to use PKI in physical access, which is valuable because it offers an alternative to symmetric key implementations. OPACITY (Open Protocol for Access Control, Identification and Ticketing with PrivacY) addresses the performance and complexity that PKI presents, but also provides the openness and security that the market increasingly demands on a contactless platform (such as leakage of identifiers). PLAID (Protocol for Lightweight Authentication of Identity) is a contactless standard developed by the Australian government to address its requirement for stronger contactless security. Both OPACITY and PLAID are open source – the source code can be downloaded and has flexible terms for use and reuse – and share similar goals and

So does all this mean that there’s no place for proprietary technology? Not at all. A vendor may have an approach that is patented and exclusive but is incredibly valuable to a given situation. Also, vendors that leverage standards can decide the manner by which they carry out the specification, how well they do it, as well as offer additional services and functions that, when used in conjunction, make a stronger value proposition. The choice is up to the customer. There is no right or wrong choice. In terms of security, open standards promote accessibility, and in turn, peer review and testing across a large and competent community. This process is very good at discovering and correcting vulnerabilities. Therefore, it would just be logical when considering proprietary approaches to demand similar transparency and make sure that claims can be validated versus being told to “just trust us.”

THE BENEFIT OF COMMUNITY Standards can, if executed properly, bring together a community wanting to solve the same problem. The individual standards development efforts are important, but more significant are the communities being built to solve the long-standing challenges that have prevented real progress and created the chasm between IT and physical access control. While we will have to wait and see which specifications are accepted and widely adopted, the participation of vendors, integrators, end users, trade organizations and others at the table is the new reality. This in itself will foster innovation and accelerate progress across an industry that had become complacent.

Summer 2014

‘TEE’ IT UP FOR HIGH-ASSURANCE TRANSACTIONS TRUSTED EXECUTION ENVIRONMENTS OFFER ALTERNATIVE TO SECURE ELEMENT MATT MCCARTHY, CONTRIBUTING EDITOR, AVISIAN PUBLISHING

When the ubiquitous smart phone or other mobile device is lost, panic ensues. Was it left in a taxi, or at the gym, or in a restaurant? Or, more maliciously, perhaps targeted for theft to access enterprise assets by criminals looking for a point of entry into a company’s systems. Luckily, the handset can be protected with a passcode or, in some cases, a biometric access control like fingerprint scanner, voice or facial recognition software. These authentication systems rely on a matching engine to compare between the authentication attempt and the reference template stored on the device. There are a number of places such authentication events can take place in the handset. One popular option is the Trusted Execution Environment (TEE) that enables

Summer 2014

secure transactions to take place outside of the device’s secure element. Authentication is just one task that can be performed in a TEE. Payments, protected content access and other secure processes are also key services controlled by the technology.

TEE BASICS The TEE is a secure area that resides within the main processor of a smart phone or mobile device and ensures that sensitive data is stored, processed and protected in a trusted environment. It is made up of both software and tamper-resistant hardware, and acts as an alternative location to store data instead of the relying on the operating system or the secure element.

“The TEE helps us get around the limitations of the secure element,” explains Kevin Gillick, executive director of GlobalPlatform, and association that develops specifications for secure and interoperable use of embedded applications on chip technology. “Within the secure element you don’t have much data storage and you don’t have a lot of processing capabilities,” explains Gillick. An alternative is the operating system but that has its drawbacks as well. “That’s a security problem because there’s so much opportunity to introduce malware or rogue activity and there’s little in the way of protection mechanisms,” Gillick explains. The TEE is an ideal option for application developers because it provides computing power, memory and security, says

Robert Brown, vice president of market development at Trustonic. A TEE must be built into a device by its manufacturer, but from there application developers have an easier time accessing this environment than the secure element. “We build trusted keys and roots of trust into the TEE and establish secure containers,” he adds. The mobile operator or handset manufacturer controls the secure element, says Brown, and the operating system isn’t secure and malware can corrupt it. “But we’ve set the TEE up so that anyone can access a container and manage it,” he explains.

TEE USE CASES Gillick identifies three main use cases for TEEs. The first use is for streaming premium content – such as movies, music and eBooks – that require a high level of security to protect against unauthorized distribution but also a high level of functionality to deliver quality features expected by end-users. “Premium content requires protection because distribution is usually done through very carefully written licensing agreements, and they need to be protected so content can’t be copied or shared,” explains Gillick. The second use case Gillick identifies is in mobile financial services. The TEE can be used for NFC applications, making payments or using the device as a mobile point-of-sale terminal. The other main use case Gillick cites for the TEE is in secure access to resources in corporate environments particularly as it relates to bring your own device. “If you want to access your enterprise resources from your phone or tablet, your company is going to be concerned about protecting that information. They are going to want to know how credentials are managed, how keys are managed, how certificates are managed – all the things that insure that they’re world is not compromised,” he adds.

The TEE can enable device manufactures to add high-assurance authentication technology at a lower cost, Brown says. In the past there have been a couple of different ways to place biometric sensors on the mobile devices and even PCs. One way was to have the sensor include a processor that would store and match the biometric data but this was pricey, as it required additional hardware. The other way was to have the matching occur on the device’s processor, but this could be corrupted with viruses and malware. The TEE enables the matching to be done on the processor in a secure manner, and it is cheaper because a second processor isn’t necessary, Brown explains. Some are also looking to perform hostcard emulation in the TEE, Brown says.

Host-card emulation is a protocol that would enable near field communication on devices without access to the secure element. Host card emulation functions could also take place in the TEE, improving the security of the overall approach.

TEE STANDARDIZATION Early iterations of TEE technology began appearing from the different handset and chip manufacturers, who included it in their devices as a part of their proprietary solution as early as fifteen years ago, says Gillick. In February of 2011, GlobalPlatform published a white paper recognizing a need for standardization, “The Trusted Execution Environment: Delivering Enhanced Security at a Lower Cost to the Mobile Market,” which outlines a roadmap to implementation and standardization of TEEs. Consulting and testing services provider FIME helps chip and handset manufacturers determine if TEE offerings are compliant with GlobalPlatform specifications. The organization stresses the importance of standardization in this arena, explains Stephanie El Rhomri, manager for Near Field Communication and payment vendor business line at FIME. “If you want to have widespread TEE adoption you cannot use proprietary technology.” As Gillick explains, “If TEE technology is not standardized then anyone developing an application is put into the uncomfortable situation of having to develop, support, and lifecyclemange their application in a different way for each operating environment to which their application is provisioned. “It gets cost prohibitive and acts as a block to the establishment of a mass market,” says Gillick. “So people really want to standardize the TEE.” And with access to the secure element a difficult task and malware for mobile devices on the rise, he believes that more and more applications will move to these trusted environments.

Summer 2014

MANAGING LOGINS WITH ‘CLOUDENTR’ SOLUTION BRINGS BIG BUSINESS IDENTITY MANAGEMENT TO THE SMALL ENTERPRISE

re:ID Magazine publisher AVISIAN is not a multi-national company, nor does it have hundreds of employees, but we still have many of the same identity and access management issues that larger companies face. We use many SaaS tools and web apps for business operations, and some of these don’t enable multiple logins, requiring user names and passwords to be shared among employees. Making these passwords strong and memorable has been always been difficult. This led us to evaluate different password solutions identity and access management tools. After seeing a demo at a trade show, we decided to give Gemalto’s CloudEntr product a try. Our internal administrator created user accounts for our staff and set up the initial series of sites we access during normal operations. To date, we have 18 sites enabled with CloudEntr, each of which is shared across some or all users. To setup a site, you select it from the list in CloudEntr and specify your user name and password. CloudEntr has a library of 1,300 sites for enterprises to access but others can be manually added, says Tom Smith, vice president of business development and strategy for CloudEntr. “The numbers go up every month,” he adds. We found that most of our sites were already included in CloudEntr, which expedites the setup. For the services that

Summer 2014

were not available, it just took a few extra steps to ‘teach’ the app the location of the necessary data entry fields on the page. CloudEntr customer service was responsive and helpful in the couple instances where we had difficulty setting up a site. Because we knew we would be enrolling each site and entering usernames and passwords, we used this as a time to mandate a strong password policy. Each site is now protected by a 20-character, randomly generated code with upper and lower case letters, digits and special characters. Next, each employee downloaded the CloudEntr app to all computers and mobile devices they use for access. The app is protected by a password, the only one they need to remember going forward. To access a protected site, they simply click the CloudEntr icon from the browser’s top bar and log in to the app. Then they select the site to access from their CloudEntr vault. The service handles the rest, supplying the username and strong password in the format required by the specific site. Employees can also use the app for their personal sites, social networks and financial accounts. The company administrator cannot see this login information so the employee’s accounts are kept secure and private. The administrator controls which applications are shared with each user, and it can be done without the user ever see-

ing the password. This feature is nice if a contractor is working for a limited time because we don’t have to worry about sharing credentials, they can just click on the app within CloudEntr and have access to what they need. Access to CloudEntr can be protected using a one-time passcode generator that can be downloaded to a mobile device. Gemalto is incorporating additional functionality to the system. In May, the site added the ability to federate identities that are SAML enabled. “We will be able to expose their APIs, build a user interface and add it to our library so customers can turn these apps on,” Smith says. The system is also looking at linking into Active Directory and other corporate resources for more integration, as well as including additional multi-factor authentication schemes, Smith says. We want to add the necessary capabilities to go after larger organizations,” he adds. Any downsides? It would be helpful if CloudEntr included a strong password generator to create the random strong passwords. We have to use other sites to generate these passwords, and then we enter them in CloudEntr. CloudEntr offers a free month to trial the system, and after that it’s $4 per user per month.