Regarding ID Summer 2013 by AVISIAN

34 A SUrVEy Of Id TEChNOlOGy - SUmmEr 2013 - ISSUE 34

access payment transit voting digital ID

Multi-App HAS ITS TIME FINALLY COME?

loyalty eID licensing login PKI

The path to interoperability.

HID iCLASS SE

Open, adaptable and powerfully secure, iCLASS SE® is the platform that simplifies everything.

iCLASS SE® is HID Global’s next generation access control platform that enables authentication of a wide variety of commercial credential technologies. A highly flexible reader family along with an array of multitechnology credentials ensure interoperability in a variety of technology environments. iCLASS SE is also enabled for (NFC) mobile phones and other smart devices. Now, you can use multiple form factors to create your ideal access control solution today. For more information, visit hidglobal.com/path-reid © 2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. HID, HID Global, the HID Blue Brick logo, the Chain Design, iCLASS SE, Secure Identity Object, SIO and Seos are trademarks or registered trademarks of HID Global or its licensor(s)/supplier(s) in the US and other countries and may not be used without permission. All other trademarks, service marks, and product or service names are trademarks or registered trademarks of their respective owners.

WhAT SECURITY DEMANDS, DATACARD ID SYSTEMS DELIVER. ®

Whatever you need for a secure ID card program, you can get it from a Datacard® system. Datacard Group offers ID card printers, software and supplies — plus 40 years of experience and the support of authorized Datacard providers worldwide. To contact a provider near you, call +1.800.621.6972 or visit datacard.com/id. Datacard is a registered trademark and/or service mark of DataCard Corporation in the United States and/or other countries. ©2012 DataCard Corporation. All rights reserved.

AUTHENTICATE PHYSICAL IDENTITIES, AUTOMATE PHYSICAL ACCESS, ACHIEVE AUDIT & COMPLIANCE 24/7 the safe software suite centralizes your disparate physical access platforms into a policy-based system that automates physical identity and access management. safe ensures that the right physical identity has the right access – for the right reasons – at the right time. With instant verification of who is where, why they are in that location, and who authorized their physical access. all managed automatically to achieve full auditability and compliance to various regulations. safe’s ability to automate these processes drives down operational costs. it’s the most efficient way to manage employees, contractors, visitors and their access lifecycle in your organization. make your world safe with quantum secure. quantumsecure.com • info@quantumsecure.com • 1.408.687.4587

phy siC al

titie

s pr iv

iden

s se oC

pr ing rd

oa -b

/o n-

w o

rk o w

va l

o pr

ar ed

pl m Co ty

ri Cu

at e om ut ll ya fu Ct ri

e ar

ati o

kf or

&e xpi r

se y-b a

gs tat us

tra

liC

inin

nC heC

syste

ileg es b ase

g vis itor

tiv tia

agin

ity & a CCess

on rol e

ini

aCC es

l aC

phys iCa

ies

oCa tion

Cess priv

ies

s Ce

liC

i lyt

itie

ian ss

ana

pl Ce

d on

and

ide

ilege s bas e

tit

man

rt i

siC yC

l id en

loCa tion

epo lr

hy rit

aCCess requ est and appr ovals

eve

self-serviCe

e-l

iCa

for

al se Cur

rl og

iCies

physiC

pol

and

rate

tiv

dispa

ses

Ces

rates

pro

oma tes

liz

ma te

siC

rifiCation watCh list ve

exe

integ

te ma

-b

-/o

aut

vid

e at

physiCal aCCess privileges based on baCkground-CheCk status

pro

liz

at e

SAFE

™ SAFE attestation audit SAFE

software suite

Ew e

er ag an m ty ti en id r to si vi

t ly

a an

iCs

C at

yt al

mp lia ng nC er FE eg S A do ul at F E Cu or in me fr nt m aC an ti ag on er m an ag er w

F SA

bb adg i

self s erviC

atio

al o rt

str egi

ine

tor

g n en

rit

raC

latio

t Con

re Cor

SAF

en E ev

al id

ger

SAF

physiC

a s man

SAFE

aCCes y and entit

d re matCh an SA FE data

tion ConCilia

CONTENTS

26 Cover Story:

What happened to multi-app? Multi-app smart cards were the talk of the town more a decade ago but the hype fizzled. With EMV on the horizon in the U.S., discussion around multiapp smart cards is heating up once again, begging the question: Will the future hold “one card” for payments, identity and other purposes?

32 Weak credentials lead to hacks The leading cause of breaches to IT networks is weak credentials. Security experts say enterprises should assume a “you’ve been breached” mantra and take steps – such as mandating multi-factor authentication – to improve weak credentials.

50 Improving ID document security As fraudsters come up with more ways to forge identity documents, enterprises and government agencies should look at passports as a standard for security. Physical document security is often an afterthought but using techniques like 600-DPI pigment ink and other techniques can make documents more difficult to counterfeit.

DMV

64 Virginia reducing identity silos The Commonwealth of Virginia will use data from its Department of Motor Vehicles to verify the identity of Medicaid recipient’s at enrollment. Other states are watching intently as they too consider tearing down the multiple, agency-specific identity silos in favor of a single authoritative source.

64 Summer 2013

CONTENTS

Multi-App HAS ITS TIME FINALLY COME?

6 Editorial: Groundhog day for the smart card History repeats itself 10 Id Shorts News and posts from the web 11 Calendar Industry events from the identity and security worlds 20 Podcasts ‘Death to NSTIC,’ 2FA goes mainstream, changing landscape for smart card manufacturers, biometric payments on campus 26 has the time for multiapplication smart cards ﬁnally come? Adding identity, other apps to EMV could hasten multi-app reality 32 Weak credentials enabling cyber crime Compromised passwords lead to breaches

Summer 2013

34 Id theft top concern for U.S. consumers Strong authentication needed to allay fears 36 Password best practices Lessons learned from recent hacks 38 Contact, contactless or flesh? Human body replaces ‘wires’ to transmit ID data 41 mobile app verifies first responders

54 fractional identity An alternative to NSTIC, federated identity models 58 Provisioning physical access credentials to mobile phones Trusted service managers key to enterprise deployment 60 Biometric fraudsters Technology breeds new brand of outlaw

42 Award-winning PkI projects streamline processes, increase convenience

63 face recognition fails in Boston Attempts to ID bombers falls short but technology succeeding in many jurisdictions

46 Company tangos with biometric payments Startup believes it can succeed where others have failed

64 Virginia launching statewide authentication System uses DMV data to verify Medicaid recipients

50 Improving Id security by taking a page from passports

66 Twitter, linkedIn breaches lead to two-factor authentication High-profile deployments seen as savior by some, knee jerk by others

53 Choosing the right card printer ribbon can save big bucks

Knowing “who” matters! Sometimes it’s not enough that someone knows a password. Sometimes you need more certainty about who is accessing your facility, your records, your sensitive inventory — certainty that a password or a smartcard cannot provide alone. With patented multispectral biometrics, only Lumidigm can answer who without question. When it’s important to have greater assurance of who is accessing your assets, choose an authentication solution from Lumidigm. Questions? Visit www.lumidigm.com, email us at sales@lumidigm.com or call +1 (505) 272-7057.

AdvantageTM

ABOUT

EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andy Williams, andy@AVISIAN.com CONTRIBUTING EDITORS Liset Cruz, Andrew Hudson, Jill Jaracz, Gina Jordan, Ross Mathis

Groundhog day for the smart card

ART DIRECTOR Ryan Kline

Zack Martin, Editor, Avisian Publications

ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com

“Those who cannot remember the past are condemned to repeat it.” — George Santayana, philosopher

SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions. avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301.

The multi-application story this month brought back memories of conversations past. Back in the early aughts when U.S. banks were issuing smart cards, there was great enthusiasm over everything that could be done with them. The idea was to smash multiple payments types and loyalty products onto a single piece of plastic, forever thinning the average consumer’s wallet. The Target Visa smart card may have been the biggest debacle. The retailer rolled out a Visa-branded smart card promising an innovative and exciting loyalty program. They also re-deployed the company’s entire point of sale reader infrastructure. We all knew that smart cards could enable exciting loyalty programs, automatically tracking frequency, punch cards and even daily specials. But what did Target choose? Coupons. And not even coupons that could be downloaded online for in-store redemption. Instead the customer had to visit a kiosk upon arrival in order to download coupons based on past purchases. Loyalty was the hot option for smart cards bank in those days. Instead of carrying punch cards for local sandwich and

ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2013 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.

Summer 2013

coffee shops, a cross-merchant loyalty app would be on your smart card and incentives automatically redeemed as earned. No matter the size of your company – small locally owned coffee shop or multinational retailer – with smart cards you could have a loyalty program. It was a nice dream but it never turned into reality. In order for the mom and pop coffee shop to put a loyalty app on the smart card it would have to be approved by the bank that issued the card. Banks weren’t wild about letting others access the silicon and the processes for how it would be done seemed persistently murky. A handful of banks rolled out smart cards during those years, but none caught on. The programs fizzled and the panacea of the all-purpose, multi-app smart card followed them down. Today we may once again be on the precipice of multi-app in the U.S. EMV is coming ashore to secure payment transactions at U.S. points of sale. But could these pervasive cards be conduits to other secure transactions and applications?

PERSPECTIVE

In our cover story, we explore examples of EMV cards doing just that – providing glimpses to a multi-app future from around the globe. EMV is often used to secure transactions online with a card reader generating a one-time passcode. Can this be expanded to other online authorizations? Is physical security a reality as EMV goes contactless? What will the world learn from Nigeria’s nationwide rollout of a combination EMV and national ID card? Whether future applications, such as those posited in the cover story, go mainstream or remain isolated instances is anybody’s guess. Many believe that mobile devices – with their inherent multi-app capabilities – may supplant the need for multi-app cards just as they become viable. If multi-app manifests in plastic or mobile form, the issues that have stymied smart card deployments for decades still exist. Boiled down, the doors begin to come of when entities need to provision credentials on things they don’t own or control. Whether it is a smart card or a handset, it’s about rights and access to a secure element.

It derailed multi-app progress before, it has driven NFC handset progress to a snail’s pace and it still challenges today’s progressive card offerings. Common sense tells us that end users want multi-app in their cards and their mobile devices. They wanted it 20-years-ago when the promise first emerged and they want it today. Perhaps this time around the players can to get past the whose-logo-is-bigger argument and bring it to fruition. I hate to admit it, but I was more inclined to believe it would happen when the industry and I were younger. But hope springs eternal and maybe this time the multi-app dream can become a reality.

Summer 2013

October 15-16, 2013 • Washington, DC • Walter E. Washington Convention Center

Smart Card Alliance and Re:ID Magazine present:

USER-CENTRIC

LIVE

Opportunities for relying parties in NSTIC and the new identity ecosystem

THE FIRST EVENT FOCUSED ON THE BUSINESS OF USER-CENTRIC IDENTITY User-Centric ID Live is a comprehensive forum to address business challenges and commercial opportunities surrounding user-centric identity. The time is now. The products and services are being defined that will allow individuals to manage their personal identity across a range of web resources and mobile apps, commercial enterprises, retail and hospitality environments, in the workplace, at security checkpoints, and beyond. Conference sessions will focus on technologies, standards, implementations, applications, and business models in the new user-centric identity ecosystem. Also presented will be an overview of the market and the social and legal issues that arise with these new tools.

EXPO A concurrent exhibition will

GET INVOLVED WITH NSTIC AND AN $11.9 BILLION MARKET

showcase the full range of

Helping expedite the market, the National Strategy for Trusted Identities in Cyberspace (NSTIC) outlines parameters for a user-centric identity ecosystem to be built and managed by the private sector. As the NSTIC pilots roll out this year, the opportunities for identity provisioning will expand exponentially as part of the $11.9 billion Identity and Access Management (IAM) market. Professionals who stay ahead of the knowledge curve will be ideally positioned to leverage these new identity models.

user-centric ID ecosystem.

technologies, solutions, and services that support the new

Promotion opportunities at the conference are available for leading companies offering products, technologies and services in this evolving field. This is a unique opportunity to showcase your company to a receptive and eager

MEET THE LEADERS DRIVING THE MARKET Conference content is presented by and for professionals from key industry verticals in this developing market – Financial Services, Online Retailing, Health Care, Hospitality, Education and Online Learning, Physical Security and Access, Technology Providers, Web and App Developers, Consultants, and Integrators.

audience. Contact: Bill Rutledge bill@cnxtd.com +1 212-866-2169.

Learn more and register at UCentricID.com Presented Concurrently with the 12 Annual Smart Card Alliance Government Conference – All-Access Conference Registration Options Are Available. th

LEARN MORE AND REGISTER

UCentricID.com

CONFERENCE Track 1

Track 2

Track 3

Results and challenges with the public-private identity ecosystem

User-centric identity concepts, technologies and how they will impact business

How retailers, banks, gov and others will consume identities in the new ecosystem

NSTIC program executive briefing Get the latest update on legislative and government perspectives from program insiders. Learn about prospective funding opportunities and new pilots.

Identity ecosystem for dummies A crash course in the concepts and technologies vying for dominance in the new realm of user-centric identity. Leave the session with the knowledge to talk-the-talk about the keys to next-generation identity.

Being a relying party is a good thing Explore the basics of relying parties and their role in the ecosystem. From health care and government to Web services and big-box retailers, the promise is protection against breaches and ID management database hacks.

NSTIC

TECHNOLOGY

Pilot progress: ‘Show me the numbers’ A panel of participants from the original pilots discuss initial results and unique test cases. Find out which trials could hold value for your organization. NSTIC: Lovers and haters Get a true sense for the public relations and consumer perception challenges in a mock debate between NSTIC proponents and contrarians. The global perspective: Competing and complementary initiatives Hear from leaders involved in Internet identity programs beyond U.S. borders. Can NSTIC work in tandem or will multi-national organizations be forced to support geospecific infrastructures?

Defining the major initiatives There are many identity initiatives in the market. Hear the ‘elevator speeches’ in a rapid-fire format from individuals driving and defining the key programs. Is there common ground in a cluttered market of identity solutions? A panel of participants representing key identity solutions and standards discuss whether one must prevail. Is there is need for multiple approaches to meet different demands or will there be a single winner? Use cases: Implementing identity in real world environments Largescale user-centric identity is just now emerging, but its building blocks have been deployed prior. Hear from enterprises that have deployed solutions, how they have worked and how they will evolve.

RELYING PARTIES

Lessons from ‘the first’ relying parties While NSTIC and the identity ecosystem may seem new, there have been precursors. Hear from these fledgling identity ecosystems and explore the benefits relying parties have gained from participation. Social networks as identity providers Some people love it, other hate it. Explore the pros and cons of using and consuming social network identities to authenticate users in your enterprise. Fortune 500 & SMB relying parties A mix of giants and startups discuss their participation in user-centric identity schemes and how they view their role in a future all-encompassing ecosystem.

ORGANIZERS ORGANIZED BY THE IDENTITY INDUSTRY THOUGHT LEADERS Regarding ID magazine (Re:ID) delivers in-depth, unrivaled coverage of identity technologies and projects around the globe to a high-profile base of decision makers and innovators. The Smart Card Alliance’s 200+ member companies include the majority of commercial organizations involved in the creation of the new identity ecosystem.

Id ShOrTS

HIGHLIGHTS FROM SECUREIDNEWS.COM

qUANTUM SECURE UNVEILS CIV SOFTWARE

Quantum Secure introduced “SAFE for CIV,” a software solution that aims to close the physical identity management gap between PIV and non-PIV badge holders for government agencies. This solution creates one system to manage all identities while maintaining the security standards of PIV credentials. Quantum Secure’s SAFE for CIV software solution enables users to manage the entire lifecycle of CIV cards, cardholders and associated PKI certificates with auditing and reporting. The software includes the following features: Centralized on-boarding/off-boarding for all temporary personnel that need physical and/or logical access using standardized credentials such as CIV cards Automatic identity vetting for all personnel on-boarded for CIV cards Generation of user credential certificates through an integrated Public Key Infrastructure Creation and issuance of CIV smart cards

Summer 2013

Central management of issued CIV cards and their attributes with policies for suspension/revocation Automatic provisioning of the CIV card and associated identity into physical security systems and logical directory systems

SAFE for CIV is part of a physical identity and access management suite from Quantum Secure. The software suite enables organizations to centrally manage all types of identities and their physical access, including PIV, PIV-I, CIV and other cardholders and visitors. The system includes predefined policies for automating user provisioning and privilege management across disparate physical access control systems based on multiple conditions like user role, cardholder type, location etc.

NSTIC PILOT WITH AAAE GOES LIVE Daon and the American Association of Airport Executives (AAAE) announced that AAAE is the initial pilot participant to go live as part of the National Strat-

egy for Trusted Identities in Cyberspace initiative. Enrollment of AAAE airport executive members taking part in the Daon-led pilot has begun. Participating AAAE members will use credentials based on Daon’s IdentityX risk-based, multi-factor, mobile authentication technology to access restricted, member-only areas of the association’s web site. They will utilize their smart phones or tablets to verify their identity each time they access the web site sections that house sensitive data. TrustX, a Daon affiliate, hosts the identity management services in the cloud. This is the first relying party participating in a NSTIC pilot to go live. In addition to piloting the use of strong authentication credentials, Daon’s pilot focuses on the movement of relying party partners to external identity providers and trust frameworks as well as cross-sector credential interoperability. Following AAAE, other partners scheduled to go live include AARP, PayPal, Purdue University and a large financial institution. With the inaugural NSTIC pilot underway, the Daon team along with researchers at Purdue University, will

ID SHORTS

Calendar

MorphoTrak is enabling Missouri law enforcement to identify wanted or dangerous persons directly from the field eliminating the need to transport them to a police station to determine identity. The solution, dubbed MorphoIDent, works in conjunction with the FBI’s Repository for Individuals of Special Concern (RISC), enabling officers to determine if a person is wanted in another state. The RISC maintains a database of some 2 million wanted persons, registered sex offenders and known or suspected terrorists. Morpho’s solution outfits the Missouri State Highway Patrol with fingerprint capture devices, enabling officers to simultaneously search both state and RISC fingerprint databases.

2013 Biometric Consortium Conference Sept. 17–19, 2013 Tampa Convention Center Tampa, Fla. ASIS 2013 Sept. 24–27, 2013 McCormick Place Chicago, Ill.

User-Centric ID Live Oct. 15–16, 2013 Walter E. Washington Convention Center Washington, D.C.

october

Missouri law enforcement using mobile ID tech

September

be providing the initiative with important feedback about how identity verification via smart phone or tablet works in a real-world environment.

Smart Card Alliance Smart Cards in Government Oct. 15–16, 2013 Walter E. Washington Convention Center Washington, D.C. NFC and Mobile Money Summit Oct. 22–25, 2013 Milano Congressi Milan, Italy

november february

RSA Conference 2014 Feb. 24–28, 2014 Moscone Center San Francisco, Cal.

april

Officers reported MorphoIDent’s first RISC match just days after its launch when a man with no identification driving an illegal vehicle with clean plates was pulled over. After using MorphoIDent to identify the individual, the fingerprint capture device vibrated, signaling a hit on the individual’s record revealing that the man was wanted in Georgia. In addition to determining true identities from false names, MorphoIDent can also clear individuals with the same name as a person of interest as well as confirm the identity of incapacitated or deceased individuals. In the event that MorphoIDent does not find a match, the acquired print is discarded and the individual is free to go.

CARTES Secure Connexions Nov. 19–21, 2013 Paris Nord Villepinte Paris, France

NACCU Annual Conference April 13–16, 2014 Sheraton Chicago Chicago, Ill.

May

ISC East Oct. 30–31, 2013 Javits Center New York City, N.Y.

CARTES America May 6–8, 2014 Mirage Conference Center Las Vegas, Nev.

Summer 2013

Id ShOrTS

THE ONLY WAY TO MAKE SURE THAT EMPLOYERS DO NOT HIRE PEOPLE WHO ARE HERE ILLEGALLY IS TO HAVE A NON-fORGEABLE CARD. RIGHT NOW YOU CAN GO DOWN THE STREET AND GET A fORGED SOCIAL SECURITY CARD OR A DRIVER LICENSE fOR $100

IMMIGRATION BILL PROPOSES $1 BILLION fOR NEW SOCIAL SECURITY CARD The proposed immigration reform act calls for $1 billion to create and issue new Social Security cards. According to the bill, the new cards would have to be “fraud-resistant, tamperresistant, wear-resistant and identity theft-resistant social

Summer 2013

security cards.” Specific card technologies were not mentioned in the bill but there are only a handful of technologies, including smart cards, that would fit the criteria. If the bill passes as is, the Social Security Administration’s commissioner would have 180

days to start work on issuing the new credentials, and migrate exclusively to the new credentials within five years. The $1 billion would be included in the fiscal year 2014 budget and remain available until spent.

ID SHORTS

“We need the Social Security card to be authenticated in some way to make it useful,” says Kelli Emerick, executive director of the Secure ID Coalition. The bill also proposes changes to E-Verify, the system used to make sure an individual has

eligibility to work in the U.S. The new system would connect to state and federal databases so that employers could check driver license or passport photos against the individual applying for the job. The new process outlined in the bill could be problematic.

“It’s very cumbersome and very unwieldy,” Emerick says. “It puts employers in the position of identity vetting instead of verifying credentials.” The bill could be on the floor of the Senate for a vote some time in June.

Summer 2013

ID SHORTS

Next gen biometric: Brain waves A new biometric modality seemingly ripped from the pages of science fiction is enabling authentication via brain waves. A University of California Berkley School of Information professor and his students are working on a system that would see a user wear a headset equipped with electroencephalograms – EEGs – to measure brain wave activity. Using brain waves for identification is not a new idea, but the technology used to read those brainwaves is, according to representatives from the UC School of information. “Traditional clinical EEGs typically employ dense arrays of electrodes to record 32, 64, 128, or 256 channels of EEG data. But new consumer-grade headsets use just a

Summer 2013

single dry-contact sensor resting against the user’s forehead, providing a singlechannel EEG signal from the brain’s left frontal lobe.” The headsets cost just $100 and connect to a computer via Bluetooth. They look much like a typical headset for music or gaming. But can it work? In different scenarios the team was able to reduce the error rate to around 1%. To authenticate the system has users imagine performing different tasks. The important thing is to find a mental task that users don’t mind repeating on a daily basis. Favorite tasks included counting objects of a specific color, imagining singing a song of their choice, or simply focusing on their own breathing.

GSA taps XTec for card issuance support XTec was awarded a blanket purchase agreement by the General Services Administration for HSPD-12 card issuance support of the Federal Acquisition Service’s Managed Service Office. The agreement includes Personal Identity Verification cards and personalization services. The GSA-managed service office is responsible for delivering credentials to more than 90 agencies. Under the terms of the agreement, GSA may require technical and professional expertise for its customers as well as cardstock and personalization services. XTec teamed with Oberthur Technologies, a provider of PIV cards to the federal government.

Id ShOrTS

The XTec Team will provide its products and services through the managed service office’s USAccess program, which supports agencies’ logical and physical access control system implementation strategies.

EM MICROELECTRONIC REVEALS CONTACTLESS CARD INTEGRATING bOTH VICINITy AND PROxIMITy APPLICATIONS EM Microelectronic, part of the Swatch Group, released the EM4333 contactless smart card, a dual ISO 14443A and ISO 15693 compliant transponder that integrates vicinity and proximity applications on the same card. The EM4333 implements an enhanced auto-detection mechanism, which ensures that the ISO 14443 application is powered only in strong field conditions thus ensuring that the range of ISO 15693 is not reduced by the high speed ISO 14443A mode. The chip offers 64 kilobytes of code EEPROM and is designed to fulfill the specific needs of secure access control, public transportation, loyalty cards, electronic door locks or leisure park applications.

EqUIFAx IDENTITy PROOFING PLATFORM ACHIEVES LOA 3 The identity-proofing platform from Equifax achieved FICAM Level of Assurance 3 (LOA3) certification and has also been approved for use in the SAFEBioPharma Trust Framework. Equifax’s FICAM Assurance Level 3 demonstrates the company’s ability to protect user identities and agency data, while also working to reduce loss associated with fraud, waste and abuse. Equifax’s identity proofing platform is compatible with electronic ID cre-

dentials at NIST LOA2 and LOA3 by SAFE-BioPharma – a U.S. Governmentapproved Trusted Framework provider. SAFE-BioPharma certification ensures that identity credentials can be trusted and used at known levels of assurance by any U.S. federal agency. Equifax has been a provider of fraud detection and identity proofing for some time. Among the first organizations to be approved at LOA 1, Equifax is a founding member of the Open Identity Exchange, which worked alongside the General Services Administration in the establishment of identity proofing requirements for the various levels of service components.

itself, would add to the concept of unifying information across Europe and would have multi-application capabilities that could support additional features and uses.

E-DRIVER LICENSE GAINING TRACTION IN EUROPE More countries in the European Union are getting on board with the concept of an electronic driver license. Based on European Directive 383/2012, which advocates adding a smart secure element to licenses, six EU member states have completed the tender procedure and another six have shown interest. A European eLicense will be a step toward streamlining the current driver license systems into a single card. Eurosmart, a European association that represents the smart card industry for multi-sector applications, says that there are 110 different driver licenses in use in Europe. These licenses feature different languages, materials and information and the association feels that migrating to one standard chip card will be simpler for the EU to manage. Eurosmart also states that eLicenses that contain a smart chip and secure element enable better cross-checking of information printed on the license

EyELOCK PARTNERS WITH STANLEy SECURITy Stanley Security Solutions announced its partnership with EyeLock, a provider of iris-based identity authentication solutions. EyeLock provides a suite of irisbased identity authentication solutions as an added differentiator to Stanley’s existing security solutions. The EyeLock suite enables Stanley to focus on the financial services, banking, health care, industrial, education and government sectors. EyeLock’s access control solutions are utilized across many markets including enterprise access, banking, health care, homeland security and border control applications. Under the terms of this strategic partnership, Stanley has acquired the exclusive rights to distribute EyeLock’s proprietary technology, products and

Summer 2013

ID SHORTS

solutions for access control applications in the U.S., Canada and Europe. This partnership will also provide EyeLock with the financial and operational flexibility to accelerate and expand its portfolio of identity authentication solutions and focus on developing next generation applications for the mobile, cyber and logical access markets.

HID adds dual-interface cards to pivCLASS HID Global announced the addition of a dual-interface – contact and contactless – PIV credential to its pivCLASS Government Solutions portfolio. The aim is to simplify issuance of PIV cards and the process of upgrading an existing physical access control system to support FIPS-201 standards. The new pivCLASS smart card and pivCLASS portfolio supports federal contractors that need to leverage PIV-I through the Federal Bridge. The solu-

Summer 2013

tions can also be used for a wide range of commercial deployments. The smart card can be offered as a traditional PIV-I credential for government use, or as a Commercial Identity Verification (CIV) credential for current and emerging applications. In either case, the credential provides users with a single smart card for physical access to facilities as well as logical access to information systems. This includes secure certificate-based login to computers, as well as securing corporate networks, web-based applications and personal data. Additionally, the card supports multi-technology biometrics as well as strong authentication for Virtual Private Network access. HID Global’s pivCLASS credential includes the company’s Digital Identity Applets framework. This framework offers secure storage and protection for the smart card’s passwords, digital identity credentials, cryptographic functions, personal information and computer access capabilities. It also enables the card to deliver additional services beyond FIPS 201 such

as one-time password (OTP) generation, and securing the communication channel over the contactless interface.

Future of NFC greater than just payments The NFC Solutions Summit in Burlingame, California – put on by a partnership of the Smart Card Alliance and NFC Forum – examined the future of NFC and the best use cases for the technology. Widely considered to be an ideal solution for mobile payments, the Summit posits that the most promising applications for NFC may have nothing to do with payments. By next year, NFC-enabled handsets are expected to hit the half-billion mark and industry experts agree that this figure demonstrates that the first step toward widespread NFC adoption has been met. With NFC technology now firmly planted in the consumer market, experts beg the question, what will be the best application of NFC? Sony’s Koichi Tagawa, and chairman of the NFC Forum, says that applications like wine tracking and device pairing – apps that fill unmet needs and streamline activities – may prove to be the gold standard for NFC apps. Citing solutions in his home country of Japan, Tagawa lauds Japanese airlines’ use of NFC to facilitate the boarding of a 450-person plane in just 15 minutes – a process that takes 40 minutes without the assistance of NFC. As with any new technology there will be apprehension and a cautious approach to adoption, but Lynne Barton, Jamba Juice’s vice president of marketing, and a participant in the Isis Mobile Wallet pilots, believes that loyalty programs and couponing act as effective gateways for consumers to foray into the NFC market. “NFC should create, communicate and deliver value to customers,” says

ID SHORTS

Mohamed Awad of Broadcom and vice chairman of the NFC Forum. “There are several use cases where organizations are communicating the value of products to customers by differentiating with NFC, including smart home appliances, interactive games, travel services, opt-in magazine ads, and even tombstones.” The use of NFC goes beyond simple user convenience, however, boasting mobile security features that could renew user faith in conducting sensitive transactions using their mobile devices. Security is, of course, a concern for any mobile interaction, monetary or otherwise and Sebastian Taveau, chief technology officer at Validity, cites specifically fingerprint biometrics as a means of providing consumers with a fast and secure method to unlocking NFC applications on mobile devices.

Partnership develops security smart card with LED display German companies Infineon Technologies AG and Bundesdruckerei GmbH have teamed up to develop a security smart card with an LED display that features a one-time password (OTP). The technology in the card’s chip can generate a dynamic OTP, which it then displays on the LED screen. The system also has a static password, and together the two increase the security of authentication and payment applications. The card reader generates the energy needed to power the chip, generate the OTP and power the display elements. The dynamic OTP is only generated on the card itself and cannot be read from the card’s display by other software, such as malware.

The polycarbonate card can be used for a variety of login situations, including PC network access and Internet social networks. It may be used with conventional card readers or NFCenabled devices.

UL lab completes EAL4+ Common Criteria evaluation UL’s security laboratory in the UK has completed its first EAL4+ security evaluation under the supervision of UK CESG, the body responsible for information assurance certifications for the country. The lab has been working with CESG over the past year to finalize its accreditation and has partnered with Oberthur Technologies to conduct the evaluation of its ID-One Tachograph 1.0 against

Summer 2013

ID SHORTS

Tennessee deploys driver license renewal kiosks MorphoTrust USA and the Tennessee Department of Safety and Homeland Security unveiled self-service kiosks for renewal and replacement of driver licenses and ID cards at 40 new locations, including Driver Service Centers and alternate locations like public libraries and AAA offices. Kiosk users simply their old license or enter identifying information. The kiosk takes a photo and prints a receipt that serves as a temporary license until the permanent document arrives by mail in five to seven business days. The kiosks are networked with state driver license records and are equipped with image verification software that compares the person posing for the new photo with the previous license photo to prevent identity theft. Payment can be made with credit or debit cards.

Gemalto uses NFC, mobile phones for identification in the workplace

Common Criteria EAL4 augmented assurance level. The lab tested the product and found it met compliance standards in early December. In the next steps to being able to formally offer Common Criteria services, UL is now finalizing its appointment process with CESG and will soon announce its status as a Commercial Evaluation Facility. The lab is part of ULâ&#x20AC;&#x2122;s transaction security services, which was created in November 2012 by combining RFI Smart and Collis and Witham Laboratories.

Summer 2013

Gemalto is transforming mobile phones into secure authentication devices for the workplace via its UpTeq NFC SIM that enables secure entry to physical buildings as well as strong authentication on PCs, laptops and IT networks with the simple tap of a phone. Gemaltoâ&#x20AC;&#x2122;s UpTeq NFC SIM and embedded software support numerous industry standards for contactless access, and can effectively turn the mobile device into the key for many everyday tasks.

SALTO secures IT server racks with new GEO electronic cylinder SALTO Systems has launched a brand new version of its SALTO GEO (Global Electronic Opening) electronic cylinder specially developed for computing, data storage and IT companies. The new electronic cylinder lock provides a wire-free fully stand-alone electronic access control solution to secure access to server racks in increasingly important and sensitive locations. It also eliminates mechanical master key problems, as there is no need to replace all the cylinders if a key is lost or stolen. The SALTO GEO half-cylinder swing handle is fully integrated with the SALTO XS4 access control platform. Its compact size and easy installation make it the ideal electronic locking system for almost any type of swing handle server rack on the market. Available in six different color finishes, it offers a choice of ID carriers including iButton, Legic Prime, Legic Advant, Mifare, DESfire, Mifare Ultralight C and is NFC compatible on contactless versions.

ID SHORTS

Google updates strong authentication roadmap Five years ago, Google’s login team published a roadmap for stronger consumer authentication. It’s now released a report on that roadmap along with an updated version of what’s in store for the team. Eric Sachs, Google’s group product manager for identity, talked about the progress and challenges the team has had during this time. Google has managed to improve security through analyzing more signals at login to create risk-based login challenges. It’s added an opt-in, two-factor login verification process. It has an OpenID style login, which other web sites are starting to offer, and its implemented OAuth in native apps. Unfortunately, while OpenID is a complex strong authentication tool, it’s also complicated to implement, a challenge that Google plans to keep working on. Google has also discovered over the last five years that account recovery is a difficult and expensive problem, particularly as hackers and identity thieves become more sophisticated. Sachs writes that Google’s five-year roadmap has done a good job of laying the groundwork so that the team can continue making improvements to its authentication system. Adoption of mobile phones has also helped spur this continued effort. The team also plans to make an aggressive change to its login system. Users will either have to opt-in to Google’s two-factor login capability, or they will have to pass a two-factor challenge on most of their login attempts. Google will help to drive the ChannelID open standard to tie down bearer tokens and cookies to the device the user signs in with, in an effort to make them less risky and susceptible to attack.

While ChannelID is already available on Chrome, Google is testing it for account login tokens and cookies as well. Smarter hardware is also driving some of Google’s experiments. Now that Android and iOS apps can generate OTP codes, Google wants to see if a phone app can give notifications about risky behavior on an account and demand approval before allowing that behavior to occur. To help facilitate this, Google is working with the FIDO Alliance on Universal Second Factor (U2F) that website owners can leverage. Sachs writes that over the next five years Google also intends to explore ways to unlock a device and confirm risky action, including using biometrics to do so. The company is also looking into combining authentication methods in portable tokens that could include biometrics or NFC capability.

Google offers G+ sign-in for applications Google has announced on its blog that app developers may now leverage Google IDs for sign-in, eliminating the need to create additional accounts and remember more usernames and passwords. This shared ID can be used in apps for Android, iOS or the Web. Google users will be able to adjust the permissions on their account to enable data sharing with third-party apps. Users will be able to take advantage of two-step verification for security, and they can also manage apps they’re signed into through their Google account.

Summer 2013

Id ShOrTS

POdCASTS EPISODE 105: ‘DEATH TO NSTIC?’ Much has been said and written about the National Strategy for Trusted Identities in Cyberspace but Phil Wolff wanted to take a different look at the initiative. Wolff, strategy director at the Personal Data Ecosystem Consortium, was admittedly being “irascible” when he first started the session at a conference but he also wanted people to look for possible pitfalls with the plan and prepare accordingly. The “Death to NSTIC” panel has been held twice and Wolff also has written a white paper that looks at the possible risks with the initiative.

EPISODE 106: TWO-fACTOR AUTHENTICATION ON THE PATH TO MAINSTREAM Two-factor authentication will not only grow in popularity but will be the norm within two years, says Chester Wisniewski, senior security advisor at Sophos. Re:ID’s Gina Jordan spoke with Wisniewski about a Forrester Research report, which predicts that two-factor authentication will be widespread within two years. Wisniewski feels that widespread may be a bit of a stretch, stating instead that mainstream may be a more realistic description. “We’ve already seen the likes of Google, Facebook, banking institutions and online gaming facilities adopt two factor authentication as an optional, additional account verification method,” explains Wisniewski. Crucial to expanding adoption of two-factor authentication will likely be public awareness and education. “It’s important to explain to people that the benefits are two-fold in addition to two-factor,” says Wisniewski. “Today, we only authenticate online with something we know – our password – but two-factor simplifies passwords because it has something else to back it up that changes each time you use it.”

EPISODE 107: CHANGING LANDSCAPE fOR SMART CARD MANUfACTURERS Smart card manufacturers are changing their focus from producing cards to software and services, says Jean-Noel Georges, global program director at Frost & Sullivan. Re:ID’s Gina Jordan spoke with him about the changing market and where smart card manufacturers are focusing their energy.

MATICA SySTEM REVEALS NEW SMARTSUPPLy RIbbON SOLUTION Card personalization and ID card printer specialist, Matica System, announced the release of its new SmartSupply ribbons and overlay. The new solution comes in a variety ribbon-based formats, including multi-panel dye-sublimation color, dye-sublimation monochrome and thermal transfer monochrome. The SmartSupply suite of products features smart tags, and is compatible with any legacy Speedimo print module and with the new systems being shipped with built-in smart tag readers. All previously installed systems will be able to access the same SmartSupply features using a simple upgrade tool. Benefits of the new SmartSupply solution include automatic ribbon recognition, low ribbon warning alerts, alerts to avoid mismatching between job requirements and ribbon types, a more consistent print quality and longer print head warranties. All Matica print systems shipped after March 1 will feature SmartSupply enabled S1 Speedimo modules. All previously installed print modules are encouraged to upgrade with SmartSupply S1 Speedimo kits to access the new features.

EPISODE 108: BIOMETRIC PAYMENTS ON CAMPUS

HOMELAND SECURITy REExAMINES bIOMETRIC ExIT

San Jose State University wants to improve payment authentication on campus. So, when it ran across Natural Security at a conference it decided to explore using the company’s biometric and mobile security technology. Re:ID’s Gina Jordan spoke with Brian Mitchler, the services systems manager for the school’s primary retailer, Spartan Shops, about the pilot and how it works.

In 2005 it would not have been out of place to see a Homeland Security official walking around an airport, basically wearing biometric sensors. This was one of the first attempts to collect biometrics from foreign travelers for the US VISIT program.

Summer 2013

Id ShOrTS

The results of that pilot weren’t made public – actually none of the handful of biometric exit pilots have been made public – and while the requirement for biometric verification of a foreign traveler is still on the books, Homeland Security hasn’t been able to accomplish the mission. However, with immigration reform on the U.S. Senate’s agenda, biometric exit has once again been thrust into the spotlight. Instead of mandating biometric exit at all ports, systems will be deployed at the 10 U.S. airports with the highest volume of international travelers within two years of the bill’s passage. Those will be international airports in Atlanta, Chicago, Dallas/Fort Worth, Houston, Los Angeles, Miami, New York, Newark, San Francisco and Washington, D.C. Homeland Security has had biometric entry in place at U.S. airports and other border crossings since 2004. In the time since, the US-VISIT program has been collecting fingerprint data from foreign travelers and running them against a watch list. Gathering biometrics when a traveler exits the U.S., however, has been a more difficult task. Numerous pilots have failed to demonstrate a workable system. At one point Homeland Security was going to have the airlines collect the biometric data but the carriers balked at the proposal. The Office of Biometric Identity Management, formerly US-VISIT, would not comment on how it plans to collect biometrics from travelers at the 10 airports.

HOUSE SUbCOMMITTEE HEARS TESTIMONy ON THE FUTURE OF bIOMETRICS In May, the U.S. House Subcommittees on Research and Technology held a joint hearing to discuss the state of biometric technologies, their current applications,

future uses, challenges of adoption and how they can impact public policies. Chairman Larry Bucshon (R-Ind.) noted that biometric technology has made inroads in business, government and industry over the last two decades enhancing security and controlling access. In terms of government-related biometrics projects, Buchson spoke of the Department of Homeland Security’s recent information solicitation on commercially available live scan fingerprint systems that government agencies of all levels may be able to implement. Those who testified in front of the committees represented government, industry and academic sectors. Charles H. Romine, director of the Information Technology Laboratory at NIST spoke about the projects – such as the e-passport program – in which the agency had been working to add biometric functions to authentication methods in order to provide higher security. NIST is also working on protocols for web service biometric capture as well as various modality-testing programs. Additionally, NIST is exploring privacy issues in biometrics through collaboration and grants for the research community to evaluate new techniques in privacy. John C. Mears, a board member of the International Biometrics and Identification Association, testified on the technology behind biometric identification and what the association recommends to further adoption. Mears testified that smart personal devices will help drive biometric applications for commercial and consumer markets and that specific industries, such as financial services and health care, will implement the technology. He noted that emerging technologies such as rapid DNA identification, simultaneous face and iris capture, scent as a biometric, fingerprint capture without dusting or touching a sensor, voice identification, portable people identifica-

tion capability and cardio-pulmonary patterns may become viable biometric identifiers. Stephanie A.C. Schuckers, director of the Center for Identification Technology Research at Clarkson University, testified on behalf of the research field. She noted that further investment in research would help with some of the challenges that biometrics is facing, with particular regard to identity management, security and privacy.

Summer 2013

ID SHORTS

Summer 2013

ID SHORTS

GAO blasts TWIC card reader pilot results Stephen M. Lord, director of Homeland Security and Justice for the U.S. Government Accountability Office (GAO), testified before a House of Representatives Subcommittee on the Transportation Worker Identification Credential (TWIC) card reader

pilot results, saying that they were unreliable and the security benefits of the program should be reassessed. This report looks at the TWIC reader pilot that was conducted from August 2008 to May 2011, where Homeland Security tested a variety of readers and the credentialing authentication and validation process at volunteer facilities and vessels. The pilots hoped to test the technology, business processes and operational impacts associated with the deployment of card readers at maritime facilities as well as define its effectiveness, particularly in a harsh maritime environment where dirt, salt, wind and rain could easily wreak havoc with the cards and readers. Lord’s testimony is the latest in a series of reports on the TWIC pilot. In its November 2009 report, the GAO found that the pilot plan, its data collection and reporting methods weren’t sound, which affected the accuracy and completeness of the results. This time, Lord said that Homeland Security had not made the necessary corrections to its trial. This led the GAO to continue its assessment that the pilot produces unreliable data and shouldn’t be used in creating regulation. In its findings, the GAO notes eight areas of weakness in the pilot program, including the readers’ and access control systems’ ability to collect the required data, incomplete documentation about the readers’ characteristics and incomplete information on malfunctioning TWIC cards. Additionally, GAO found that Transportation Security Administration reports on 31 of the 34 pilot sites did not match what the testing agent reported. Neither entity recorded baseline data, instances of denied access or consistent data on the operational impact of the system. The TSA noted that consistency among pilot locations proved to be one of the challenges during the testing period due to the voluntary nature of project participation. It also blamed the independent test agent for incorrectly gathering data and allowing for inconsistencies. Nevertheless, the GAO found the TWIC pilot results to be unreliable and recommended that Congress consider repealing the aspect of the final regulations that require TWIC card implementation until DHS can complete an accurate and effective assessment of the system.

Summer 2013

ID SHORTS

Biometrics enables smart gun technology A new safety mechanism for guns leverages biometrics to authenticate users of equipped weapons. Safe Gun Technology Inc. (SGTi), of Columbus, Ga., is working on a smart technology that gun owners can put on their weapons to ensure that only authorized users can actually shoot the gun. “We’re using technology to hopefully prevent accidental shootings, prevent criminals [from stealing guns and using them] and prevent gun death and gun

violence,” says Charles W. Miller, chairman of the board of directors for SGTi. SGTi’s technology is proprietary, but Miller says it makes physical modifications to the firearm in order to add the identification system. Users would take their gun to a licensed gunsmith to add a retrofitted chip. To use the system, the gun owner would depress a tape switch that engages a fingerprint reader. The reader would read a thumbprint, and upon recognition of the correct print, allows the user to shoot the weapon. Miller says the reader “acts like a power switch,” and once the gun leaves the user’s hand, the technology will disarm the weapon until someone successfully authenticates into the system again. “[If you] try to remove the retrofitting equipment, it will destroy the weapon,” says Miller. To enable the biometric function, the gun owner takes on the role of master user of the system. “A master user allows a person to enter their fingerprint into the system. The fingerprint will be assigned a number by the reader, which

Summer 2013

will allow for easier record keeping for multiple authorized users,” says Miller. The master user sets up an initial PIN that allows them to go in and register or change prints. They can then add and delete users as they see fit. To transfer ownership of the gun, the master user assigns his entryway to the new owner, who then can go in and delete any unwanted profiles, says Miller. In SGTi’s Remington 870 prototype the biometrics are stored within the processor, and the system can hold about 150 prints. For the market version of the product, SGTi plans to use

a system that can store thousands of prints, says Miller. This will make the system ideal for armed forces battalions or large police forces that want to enable thousands of people to use a particular weapon.

Belgian ports roll out Lumidigm fingerprint scanners The ports of Antwerp and Zeebrugge in Belgium are replacing older biometric registration stations with Lumidigm VSeries multispectral imaging fingerprint readers. Antwerp is Europe’s second largest port and Lumidigm-partner Alfapass is in the process of enrolling 17,000 truck drivers and 10,000 longshoremen at the two ports. The port facilities wanted to identify individuals in a more efficient manner, especially for those who travel between multiple port facilities. Rather than a separate badge for each location, visitors to both ports will carry a smart card that includes the biometric template. Individual facilities have the option of verifying the fingerprint template stored on the card to authenticate the user at the entrance gates. When a card is lost or stolen or the person no longer works for the company, the card is automatically blocked at all participating facilities. No longer

ID SHORTS

can a former employee or person who obtained a card get into the ports as only cardholders that pass the biometric check-in are able to enter.

Motorola proposes tattoos as replacement for passwords In one of the more bizarre and possibly innovative solutions to the replacement of the password, Motorola has proposed an electronic tattoo fixed to the user’s skin as a means of authentication. A report reveals that Massachusettsbased engineering firm MC10 is manufacturing the “biostamps.” The tattoos contain flexible electronic circuits that can be adhered to the user’s skin via a rubber stamp.

While the concept seems a tall order for public adoption, this is not the first time that the tattoo concept has been explored. In March, Nokia proposed a similar solution, however in that case the tattoo was inserted beneath the skin, meaning users needed to undergo a minor surgical procedure prior to using the technology. Nokia also played with the idea of a topical, stamp-like solution but stated at the time that such a method would be less resistant to daily wear and tear. Nokia’s under-skin tattoo would vibrate for incoming calls and when the user’s device battery was low. By scratching their arm, the user could dismiss the alerts. The biostamps that Motorola is experimenting with were initially designed for use in the medical field, but the mobile giant is hopeful that the stamps could be used in the consumer sector as well.

To accompany the tattoo idea, Motorola is also exploring a more invasive method using the Proteus Digital Health pill. Already approved by both the US Food and Drug Administration and European regulatory bodies in 2010, the pill contains a battery-powered chip that works using the individual’s stomach acid. As with other biometric modalities on the market, the ingestible pill leverages the ECG signal that can be traced by devices outside the body. It is this unique signal that could be used to verify a user’s identity. Motorola officials admit that such a solution will not be available to the public for some time, but that authentication using the tattoos has been tested with mobile phones and worked well.

Summer 2013

Multi-App hAS ThE TImE fOr mUlTI-APPlICATION SmArT CArdS fINAlly COmE? addinG identity, otHer appS to emV Could HaSten multi-app reality Zack Martin, Editor, avisian Publishing

Summer 2013

There was a time in the not-so-distant past where “one card that would rule them all,” was a hotly discussed topic. Credit, debit, transit, multiple loyalty schemes and possibly even identification would all be placed on to one smart card for use everywhere and anywhere. Conferences dedicated sessions to the discussion of multi-purpose smart cards, touting them as the Next Big Thing. But it never really happened. There are cobranded payment cards with transit apps in the a few places around the globe, but placing multiple applications on smart cards has been the exception rather than the rule. It is viewed as too difficult and there are always questions of what logos would be printed on the card, who owns the cardholder and how apps are added and revoked. But now bank-issued cards may be crossing the payment lines and dawning a new day for multi-app cards. There are more than 1.5 billion EMV cards in circulation throughout the world, according to EMVCo., the association charged with looking after the standard. The global payment standard has been around since the mid1990s and following adoption by a majority of the world’s industrialized countries over the past decade, the U.S. is planning to climb aboard as well. As the need for high-assurance identity in the physical and online worlds have grown, so too have the discussions about using the EMV application and bankissued cards for purposes other than payments. Could we be witnessing the rebirth of the multi-application smart card? To date, using EMV cards with multiple applications has been much discussed but has resulted in few deployments. The problem is that banks tend to issue the cheapest, lowest memory cards and lock them so additional applications can’t be added.

Still examples providing a glimpse to the potential do exist. A handful of campuses are using a robust solution and Nigeria will start issuing a national ID card that includes an EMV application. Meanwhile, others are using the EMV technology to enable an additional security factor online. There are different ways that an EMV card could be used for other applications. Ultimately, it comes down to the business case of banks letting other enterprises place applications on the smart card or being able to provision the EMV application into a physical or logical access system.

bANCO SANTANDER GOES MULTI-APP FOR STUDENT ID Banco Santander’s university card program places an EMV application on the student ID card along with other applications, says

EMV contact and MasterCard’s PayPass contactless EMV app, Drumond says. “It’s a 36K chip with a small portion used for financial functions and the remaining space used for university applications and digital signature,” he adds. The ID cards are available only to members of a given university and have become a management tool for students to access a variety of applications. For example, in Santiago de Compostela, the card offers transit ticketing, digital signature, parking access, secure access to computers and an electronic purse for vending machines and meals. The card also offers time control, manages library loans, enables consultation at self-service kiosks, discounts in certain shops. Students are under no obligation to open an account with the institution, but for those that do, the card supports use at ATMs and as an EMV debit card.

EMV + Student ID Student ID programs in Brazil, Spain and Chile are issuing dual-interface cards with EMV contact and contactless EMV apps. “It’s a 36K chip with a small portion used for financial functions and the remaining space used for university applications and digital signature.”

Samuelson Drumond, vice president of smart card for Santanader Universities. The program has deployed 4.2 million cards at 211 universities in 10 countries. Programs in Brazil, Spain and Chile are all issuing dual-interface cards with

Since the card uses the EMV standard it can also be used in open-loop transit systems. In the future, Santander is looking at using the mobile device for identification and to generate one-time passcodes for

Summer 2013

secure online authorization of payment transactions or other purposes. Santander issues multi-application Java cards, Drumond says. The EMV application is isolated on the chip and additional applications provide the digital signing, access control and other functionality.

Gemalto provides the cards for the Santander schools, says Philippe Benitez, vice president of marketing, Secure Transactions for Gemalto North America. “These are high-end cards that are designed for use in all the touch points that a student might need to access,” he adds.

Nigeria merges national ID, payments Nigerian citizens will be issued a multi-application identity card that includes prepaid payment functionality from MasterCard as well as a host of e-government and benefits administration capabilities. For many Nigerians, this will be their first access to financial services as more than 70% of citizens are unbanked or underserved.

Summer 2013

However, Benitez hasn’t heard of any need to use EMV for other purposes beyond the university space, and some government programs.

Secure non-payment transactions via EMV Technically it’s possible to use EMV cards and applications for other purposes but the challenge lies in the business case and whether individuals would want to do it, says Brian Russell, senior vice president for payments and transit at Giesecke & Devrient. “Technically you can take the EMV cards and the cryptographic capabilities and have the ability to communicate,” he says. “But there are a myriad of issues with the business case.” Financial institutions would have to be willing to share the keys to the cryptogram with the enterprise in order to enable it to work, Russell says. There’s also the question of where the key management system lives, the bank, the enterprise or both? “You’re talking about implementing a backend system that would be reading the same system, it’s not impossible but it would take effort,” Russell explains. “The challenge comes in the infrastructure and having to manage and share keys across different segments.” There’s also the consumer side of the equation and whether the employee would be willing to share an EMV card with an enterprise for access, Russell says. “Certain people may be sensitive about their financial information and may not want to share,” he explains. “Also, what happens if the card is lost or stolen or the employee wants to cancel the account?” Enterprises want to control the personalization of credentials, says Xavier Giandominici, director at FIME. That said, depending on the card and memory available, it would be possible to use the card for other purposes.

The problem arises when it comes to the business case, Giandominici explains. How is the card authorized? What’s the lifecycle? What’s the liability if something happens to the credential? “The technology is here and it’s secure but these questions are what’s stopping it from being implemented,” he adds.

LOW MEMORy CARDS LIMIT OPTIONS The main problem is that banks issuing EMV cards typically go with the lowest cost, lowest memory cards available, says Stephen Wilson, managing director at the Lockstep Group. Banks put the EMV application on the card and don’t leave room for anything else. This is changing in some regions, as European banks are putting other applications on the card, such as transit, but leaving room to enable a third-party to place an app on the card is somewhat unchartered waters. “Post-issuance loading is hairy,” Wilson says. “People have an aversion to it because you have to be technically sophisticated to add an app to a smart card without breaking it.” The alternative is to add all the applications when the card is first being issued.

EMV PLUS NATIONAL ID FOR NIGERIANS Nigeria and MasterCard worked together to add both parties’ apps at issuance creating a national ID that is also an EMV bank card. The two announced the rollout of 13 million MasterCard-branded National Identity Smart Cards with electronic payment capability as a pilot program.

As part of the program, the first phase of the pilot issues all Nigerians 16-years and older, along with all citizens with two or more years of residency, the multipurpose, 13-application identity card. The card includes MasterCard’s prepaid payment technology that will provide cardholders with electronic payments. For many Nigerians, this will be their first access to financial services. But arriving at the multi-purpose ID wasn’t easy. Providing access to banking services was important with the Nigerian

The issuance of these new credentials, from a back office perspective, is complex but should be easy for the cardholder. The process starts with issuing the National Identity Card, which includes biometric identification and is linked to the unique national identity number, Lahoud says. The electronic payment capability kicks in afterwards and features many possible applications. The identity card can be used as a standard prepaid card where the cardholder loads money on the credential at a bank. More importantly, it can be used

EMV + National ID

“The Nigerian government was resolute in creating a smart identity card based on a unique national identity number to harmonize and integrate existing identification databases in Nigeria. The Central Bank was equally resolute in advancing the Cashless Nigeria initiative to create efficiencies and gradually eliminate the vices of cash in the economy.”

ID as more than 70% of citizens are unbanked or underserved. “The Nigerian government was resolute in creating a smart identity card based on a unique national identity number to harmonize and integrate existing identification databases in Nigeria,” Sami Lahoud, vice president of communications for the Middle East and Africa at MasterCard. “The Central Bank was equally resolute in advancing the Cashless Nigeria initiative to create efficiencies and gradually eliminate the vices of cash in the economy.”

by government agencies as an alternative cash disbursement tool. “The Minister of Finance has already stated that this card will be used to disburse pensions to eligible citizens,” Lahoud explains. Other applications are being discussed as the program evolves. Lahoud says there are no similar programs like this in Africa or any other part of the world. Eventually, the scheme will include all adult Nigerians and all residents in the country. This is a potential of almost 120 million cards and will keep growing in step with the country’s population.

Summer 2013

Consumers want strong online authentication The deployment of EMV in the U.S. is focused at the physical point of sale, but will the cards be used as an extra factor of security for online purchases? Banks should keep in mind that consumer want stronger authentication online. A study by the Ponemon Institute shows that consumers don’t like user names and passwords and would prefer multi-purpose identity credentials that could be used across sites. In the U.S., 46% of individuals don’t trust systems that rely on user names and passwords for access. Another 38% don’t trust sites unless they require frequent password resets. “People expect more, especially when visiting a bank versus social media site,” says Larry Ponemon, chairman and founder of the Ponemon Institute. “People are expecting businesses to do more on the authentication side.” The idea of a multi-purpose identity credential to manage access to multiple sites is appealing with 51% of consumers expressing interest. The multi-purpose identity credential would be managed by a trusted provider, who in turn licenses authentication capability to organizations providing cloud-based services such as banks, retailers, health care and government agencies. There is, however, a caveat with multi-purpose credentials. “People do not want the credential to be a national ID and they don’t want it to violate their privacy,” Ponemon explains. Consumers want retail banks to be the issuer of the credentials, with 61% of U.S. consumers stating it as a preference, followed by credit card and Internet payment providers. The least preferred issuer was law enforcement, Ponemon says. The preferred form factor for this multi-use credential is the mobile phone, with 32% of respondents selecting this option, Ponemon says. Biometric authentication was second with 23% of respondents preferring the method. Consumers are comfortable with the idea of using biometrics for access to sites, Ponemon says. Voice was the preferred modality at 83% followed by facial recognition at 70%. Nok Nok Labs, a group looking to change online authentication, commissioned the survey of 2,000 consumers from Ponemon. Phillip Dunkelberger, CEO at the organization, says one of his takeaways from the report is that consumers want to use a secure ID but they don’t want to be tracked. For example, consumers don’t like it when they shop on a site, go to a completely different, unrelated site, and see advertisements for products they had looked at previously. “People want convenience but they don’t want it tied to a government agency or a big business,” Dunkelberger explains.

Summer 2013

OTP extends EMV to other apps Nigeria and Santander both are issuing high-memory cards in order to enable multiple applications on a single chip. Outside of banks sharing the cryptographic information with an enterprise or enabling post-issuance applications to be added to cards, there are other ways to use EMV payment cards as an extra factor of authentication, especially for online transactions. EMV cards can be used to generate one-time passcodes using the MasterCard Chip Authentication Protocol or Visa’s Dynamic Passcode Authentication, says Stephane Ardiley, product marketing manager at HID Global. These systems are typically used in card-not-present transactions when a consumer is making a purchase online. To conduct such a transaction, the customer first inserts the EMV card into a small, calculator sized reader. The card owner then types the PIN on the reader’s keyboard and receives a one-time password to be used during an online or telephone transaction. This transaction provides two-factor authentication because it proves that the card was in possession of the buyer and the buyer knew the PIN. HID has worked with banks overseas to deploy this technology to cardholders, Ardiley says. While the technology has primarily been used for second-factor authentication for transactions, banks are exploring use of the technology as another factor for secure login.

Canadian bank credentials extend to government access In Canada, SecureKey is working with three banks to enable existing contactless bankcards and logins to secure access to government web sites. Consumers will be able to visit a government department online and go through SecureKey’s credential broker service for authentication. SecureKey is launched with BMO Financial Group, TD Bank Group and Scotiabank and plans to add more in the future. Canadian citizens have a choice of whether or not to use the system. When they visit a government site, they can choose to create a new login that is unique for the government application or use their own banking information. If they choose the latter they are directed back to the bank site, asked to login and provide

required identification information. Once verified, they are able to use the user name and password from their bank for access to the government site. When a user authenticates with their bank, the bank will give SecureKey a

Payment Acquisition and Sales Support at BMO Financial Group. “BMO sees this as a natural extension of the services we offer our customers,” Heatherly adds. “Our participation gives customers a secure, simple and trusted ver-

EMV + Digital ID

In Canada, Bank of Montreal is demonstrating how contactless EMV cards and bank credentials can add an extra factor of security to other online log-ins. USB readers enable the cards to be called upon when accessing government web sites.

non-identifying security token. SecureKey then substitutes the token with a new, non-identifying but unique token for the Government of Canada that says the user has been authenticated. The credential brokerage service is blind; meaning no party to the transaction knows precisely who has provided what data, thus ensuring the user’s privacy. SecureKey is a broker of anonymous credentials while the government is responsible for ensuring that you are accessing your own information. The bank is responsible for providing a valid token that only the citizen has to connect to Government services more securely. Bank of Montreal is issuing contactless readers that plug into USB ports so that consumers can tap their contactless EMV card for an extra factor of security, says David Heatherly, head of North American

ification process for accessing government services online. It builds off the investments we have already made in Chip and PIN, and related technologies for simpler, but more secure, online authentication.” TD Bank group didn’t see the physical card readers adding value to the system, says Paal Kaperdal, senior vice president for Online Banking at the institution. However, enabling one login for multiple services extends TD Bank’s trust into other areas. “We see this system as a natural extension of that relationship in the digital domain and an opportunity to extend our services to our customers,” Kaperdal says. It’s a win/win opportunity for the bank, says George Peabody, senior director at Glenbrook Partners. It doesn’t require the banks to make any changes to the card and the institution could potentially earn revenue from having other relying parties use it for strong authentication.

Also, with more tablets and laptops expected to be equipped with near field communication and contactless readers, the cards could more readily be used as an additional token in SecureKey’s model, Peabody says. This requires dual-interface cards, which is the majority of cards issues in Canada. SecureKey is attempting to build an authentication protocol based on what a consumer already knows: user name/ password and payment cards, says Andrew Boysen, executive vice president of marketing at the company. As SecureKey has demonstrated in Canada, payment cards can be used to add security for online logins. It’s a matter of working with organizations that want to make it happen, Boysen says. “It’s not a technical challenge and our customers are working to help us make it happen,” he adds. Boysen believes systems like SecureKey’s will most likely take off in the consumer space first. “Banks are all about the consumer but they don’t know anything about the enterprise space,” he explains. For that reason along with customers’ reluctance to use personal cards in an enterprise environment, it may be difficult in this environment, Boysen says. “From a consumer standpoint I won’t have something personal used in the enterprise,” he adds. This could change. As consumers become more concerned about securing their own online identity, there would be an opportunity to add a business persona to that same credential. It would be a replay or an extension of the Bring Your Own Device situation that is playing out in enterprises across the country.

Summer 2013

Weak credentials ENABLING cyber crime Compromised passwords lead to BREACHES

our out of every five data breaches occur because of exploited or stolen credentials. This key finding from Verizon’s 2013 Data Breach Investigation Report has helped escalate concerns about hacking to critical levels. Richard Clarke, the former National Coordinator for Security, Infrastructure Protection and Counter-terrorism, expressed concerns for U.S. computer networks, critical infrastructure and even national security.

Summer 2013

At an investor’s conference late last year, he warned companies that if they don’t think they have been hacked, they just don’t know it yet. He went on to say that the threat of hacking by foreign nations is one of the biggest threats the U.S. faces. The numbers bear out Clarke’s concerns. 2012 saw more than 47,000 security incidents, 621 data disclosures and at least 44 million compromised records, according to the Verizon report. Over the entire nine-year range of the study, that tally now exceeds 2,500 data disclosures

and 1.1 billion compromised records – that equates to nearly four compromised records for every man, woman and child in the U.S. 2012 saw security experts adopt the “assume you’re breached” mantra. The weakness of passwords is the main cause of exploitation with 80% of breaches occurring because of a network intrusion exploited by a weak or stolen credential. Credentials can be exploited in many ways. They are typically stolen when a user downloads malware that captures user name and password information

Variety of hacking actions

Variety of compromised data 48%

Use of stolen creds

44%

Use of backdoor or C2

34%

Brute force Unkown

SQLi

Other

61%

Payment 38%

Credentials 24%

Internal

20%

Secrets

20%

System

Personal

10% 6%

Footprinting

Unknown

Abuse of functionality

Bank

MitM

Classified

<1%

Buffer overflow

Medical

<1%

Copyrighted Other Financial

Espionage

Activism

and then sends it to the fraudsters. This leads to hacking, and the use of stolen credentials was the primary way hackers gained access to systems. There are also brute force attacks that break passwords. Authentication-based attacks – guessing, cracking, or reusing valid credentials – factored into four of every five breaches in 2012. It would seem that this is reason enough for single factor authentication to be put to rest once and for all. Yet it remains the most common approach. Suggest report authors: “If data could start a riot (“Occupy Passwords!”), we could use these statistics to overthrow single-factor passwords: the supreme ruler in the world of authentication. If we could collectively accept a suitable replacement, it would’ve forced about 80% of these attacks to adapt or die. We’ve talked about the shortcomings of passwords for years now, and if it were an easy problem (or the pain caused by password problems was greater), it’d be fixed by now.”

Other

Financial

Identifying solutions to replace or bolster user names and passwords is a primary driver behind the U.S. government’s National Strategy for Trusted Identities in Cyberspace (NSTIC). Stronger credentials prevent attacks, says Jeremy Grant, senior executive advisor for identity management and head of the National Program Office for NSTIC. When the U.S. Defense Department mandated the Common Access Card and PKI for network login, intrusion dropped

1% <1% Espionage

Other

a priority because in government and critical infrastructure, it’s the humble password that is used to guard access to recourses and it’s woefully obsolete,” Grant explains. Organizations have tried to make passwords work by making them more complex, says Tracy Hulver, chief identity strategist at Verizon. “You mandate a minimum number of letters with alphanumeric characters and have them change their password frequently,” he

If we could collectively accept a suitable replacement for passwords, it would’ve forced about 80% of these attacks to adapt or die. by 46%. This is one of many oft-cited statistics in support of the transition to strong authentication. The national strategy aims to bolster online privacy, convenience and security, things lacking with usernames and passwords. “The White House made this

explains. “It makes it more complex but if you make something more complex people will write it down and there goes the security out the window.” Complex passwords also don’t equal foolproof security. Hackers want the credentials because once they have it

Summer 2013

they have free reign in a system. “You can have a 40 character password with alphanumeric characters but if I put a key logger on your machine I’ll get the password,” Hulver says. Password reuse also jeopardizes security. If one company’s identity management system is compromised, it’s likely the hacker will try the stolen credentials on other sites because individual’s commonly reuse passwords, says Chris Russell, vice president of engineering at Swivel Secure. “One compromised password can lead to more sensitive data being hacked,” he adds. Stronger credentials, such as two-factor authentication and one-time pass codes, are a possible solution, says Grant. “It’s not that one-time pass codes can’t be hacked but they’re more difficult to compromise,” he explains.

The national strategy is focused on multi-factor authentication, Grant says. The challenge is putting it in hands of the user. “It must be cost effective and easy to use because we need to convince everybody to use it,” he explains. There’s an old saying that with enough time and money anything can be hacked, but it’s also true that most fraudsters will go for the easier score avoiding sites with strong security. “Let’s drive material improvement beyond what we have now,” Grant adds. Hulver agrees, noting that of the 1.1 billion records breached in the past nine-years of the Verizon study, none of those system used two-factor authentication. Fraudsters go the path of least resistance and two-factor would take more time and effort, he says.

ID theft top concern for U.S. consumers Strong authentication needed to allay fears Unisys released its annual Security Index report that offers a snapshot of the nation’s sense of security. The war on terror is less of a concern than in the past but consumers are more concerned with bank card fraud and identity theft. According to the report, 45% of those surveyed are extremely concerned about national security related to terrorism, but that percentage has decreased over the three-year period from 2011 to 2013. And this year, national security concerns dropped below concerns over bank card fraud and identity theft. While there has been a decrease in serious financial concern from 2012 to 2013, there is still a great deal of apprehension related to credit card fraud. Accompanying the American public’s concerns of financial security is a significant trepidation – 35% reporting being seriously concerned – associated with spam and

Summer 2013

viruses. Moreover, one-third of respondents reported being seriously concerned with the security of shopping and banking online. In terms of personal security, identity theft remains a point of worry, though levels have dropped from extreme to moderate concern. The 2013 Index indicates bank card fraud, identity theft and national security are the top security concerns for Americans. The survey shows 52% of Americans are seriously concerned about other people obtaining or using their credit/debit card details. A majority of those surveyed (54%) are also extremely concerned about identity theft that could lead to unauthorized access or misuse of personal information. In an increasingly connected society the prospect of losing valuable data and assets to cybercrime is a serious concern, and the Unisys report suggests that businesses must review

and enhance existing security measures.

and networks from internal and external threats.

Unisys is also mindful of the advent of cloud computing and a growing connectivity between companies, institutions and individuals. A concern for government and commercial organizations alike, Unisys stresses that security has never been a more urgent and visible issue.

For larger operations with high personnel populations, the management of identities and entitlements through an integrated approach will be key. Central management of users’ digital identities will provide the higher level of assurance and will reduce employee error with continuous messaging and policy implementation.

Part and parcel to a hostile IT ecosystem, are vulnerable mobile devices, poorly authenticated users and weaknesses in data and application security. Unisys reveals that proper protection in such an ecosystem is no longer a simple matter of securing the IT network perimeter. The report suggests that companies make security a priority. Specifically, it recommends implementing security monitoring, awareness and reporting utilities as well as a cybersecurity framework that protects enterprise data

Utilize built-in capabilities of next generation devices. Smart phones and tablets enable advanced authentication via biometric techniques like voice, signature and facial recognition. Finally, Unisys stresses the importance of constantly and regularly assessing and reassessing security measures. Performing vulnerability scans periodically and scheduling audits can be valuable tools in spotting gaps in security.

that stores the credential,” Russell says. “Cloud services just need to know that I’m authenticated to my service, they don’t need to know my password.” The breaches of login information from Twitter, Living Social and other sites are causing them to reconsider identity routines, Hulver says. The problem with deploying these systems, especially multi-factor, is added cost and end user acceptance challenges. Two-factor authentication can be viewed as expensive especially for an organization with ten of millions of users. The other issue for an organization with a large user base is educating individuals on how to use a more complex system, Hulver says. “Adding another step causes increased help desk calls and frustration,” he adds. It could lead to less frequent usage or even customer attrition. This is certainly

Organizations could also add riskbased analytics to better secure systems, Hulver adds. These systems run the in background of IT networks and track login habits and make risk-based decisions. It may ask for another authentication factor if the user is logging on from an unusual IP address. Federated identity is another possible solution, says Russell. “If you federate properly, you have fewer identities but each is more strongly protected,” he explains. In an environment where individuals are accessing cloud-based resources federation can improve security while making it easier on the end user and enterprise. A user would authenticate to the federated identity service and then be able to access any necessary resources. standardsREPORT enable a 2013 DATA “Federation BREACH INVESTIGATIONS single organization to be the only party

part of the equation and a likely reason some organizations choose to stick with a solution that is widely known to be insecure. Issues aside, organizations are starting to take identity management more seriously, Hulver says. Sadly in most cases the process will start with the mandated use of complex passwords that will have to be changed frequently. Eventually it will lead to multi-factor authentication. Using risk-based systems that run in the background may be able to screen out 99% of problematic transactions. Two-factor solutions can step in to authenticate an individual helping address the remaining gap, Hulver suggests. Though there is still a long way to go, programs like NSTIC and two-factor initiatives from groups like Google, Twitter and Facebook show the industry is making strides to better secure online identities.

DATA BREACHES: THINK IT WON’T BE YOU? Hackers are interested in companies just like yours... All kinds of organizations — from government agencies to iconic consumer brands, internet startups to trusted financial institutions — have reported major data breaches in the last year. Nobody’s immune, no target is too small, or too large. It could be you next.

75%

Do you know what you’re up against? The variety of perpetrators and methods they use to gain access to data are numerous, and ever-growing. Understanding the threat is critical to protecting your business. of attacks are motivated by financial gain.

75%

Spies

19%

of attacks can be attributed to state-affiliated actors.

Criminal

Activists

of attacks are opportunistic, not targeted at a specific company.

Most breaches lie undiscovered for months... It’s not really surprising that many breaches happen quickly — perpetrators driven by financial gain will often quickly move on if not successful. What’s alarming is how long breaches take to spot, and how long they take to fix — during which time sensitive data remains exposed.

66%

Who do they target?

Manufacturing, professional services and transportation industries.

of breaches lie undiscovered for months, increasing the potential damage.

Where are they from?

East Asia.

...and breaking in is a lot easier than you probably think. 78% of intrusions rate as ‘low’ or ‘very low’ on the VERIS difficulty scale — they require no special skills or resources.

Who do

et? they targ

s. industrie

from? are they

ica. rth Amer

food tail and

re Finance, Where

Eastern

Europe

What do they want?

Credentials, internal organization data and intellectual property.

and No

nt?

they wa

ere are the

ls and

credentia rmation, . Card info tails count de ac nk ba

What do

y from? Western Europe an d North

What do

America they . Personal want? informa tion, cred and inter entials nal orga nization data.

68%

76% 22% 10% <1% Very low

Low

Moderate

High

of network intrusions exploit weak or stolen credentials.

Who do the y tar

get? Informat ion, service ind public sector an d other ustries. Wh

84%

...and most victims don’t even spot breaches themselves. Only 13% of breaches are discovered by the affected company. Nearly 1 in 10 are discovered by a customer. 34% 24%

of compromises take minutes or hours.

The financial cost and damage to your reputation of a data breach can be enormous. You can’t afford to ignore the risk. Get informed, visit our Data Breaches resource center:

verizonenterprise.com/DBIR/2013

13%

Third party

Fraud detection

Internal

Customer

47,000+ SECURITY INCIDENTS ANALYZED. 621 CONFIRMED DATA BREACHES STUDIED, 19 INTERNATIONAL CONTRIBUTORS, 6TH CONSECUTIVE YEAR. THERE’S ONLY ONE DBIR. © 2013 Verizon. All Rights Reserved. The Verizon name and logo and all other names, logos, and slogans identifying Verizon’s products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners.

MC15555 04/13

Summer 2013

PASSWORD BEST PRACTICES: LESSONS LearnED From Recent Hacks Charles McColgan, CTO, TeleSig

According to the Ponemon Institute, 55% of small businesses across the U.S. had some form of data breach and 53% had multiple breaches. More than 50% is a scary number, and data breaches can impact all organizations, big and small. Just consider the recent examples from some very high profile companies that made front-page news including Skype, LivingSocial and the Associated Press. Though these hacks were very different, the following common best practices could have lessened the sting. Make sure your users never use the same password twice Users should have a random and different password for each site they use. The problem with a stolen password is that frequently the user has leveraged the same password across several accounts. Users are lucky when they find out about a hack because then they can change the password on their compromised account and any other account with the same password. The more insidious and damaging hacks are the ones that are go unnoticed for a period of time. Unless a site provides two-factor authentication, users should assume that any of their accounts could be compromised with a guessed or cracked password. Since users are generally resistant to creating and maintaining multiple passwords, recommend that they store these passwords using a service like LastPass or software like Password Safe.

Summer 2013

Salt your passwords. In fact, double salt them For password storage, passwords must be hashed and salted – a process that increases security for stored passwords – in fact double-salting passwords is better. Double salting passwords and storing the second salt somewhere other than in the password database makes hashed passwords nearly impossible to crack. The security folks at LivingSocial did salt their passwords, which makes any attack against the hashed passwords much harder. If a site has salted and hashed their passwords a hacker must create a big dictionary hash list separately for every single user. That takes a really long time making the hack millions of times more complex if the site has millions of accounts. Salting and hashing protects all of your passwords from getting cracked easily but single accounts are still susceptible.

Collect a phone number for important communication Email is a good method of communication, but SMS is more appropriate for urgent matter such as, “Holy Heck, we were hacked, change your password!” Email communication comes with its own set of challenges because it can also be compromised. Additionally, many users leverage the same credential across all their accounts. That’s why it’s imperative to capture and verify your users’ phone number when new users register for the account. Not only does this help ensure users are who they say they are, but it can serve as an effective deterrent for keeping out fraudsters and spammers. Attaching a verifiable phone number to an account enables other downstream benefits like streamlining password resets and enabling secure communication to your user base if there is ever a systemwide data breach.

if all LivingSocial users had used two-factor authentication it wouldn’t matter if someone else knew the user’s password

Set-up two-step verification to prevent account compromise If two-step verification were set-up, it wouldn’t matter if passwords were compromised, because the hacker would need to know the password and have physical possession of the authentication devices – in most cases the end users’ phones. For example, if all LivingSocial users had used two-factor authentication it wouldn’t matter if someone else knew the user’s password. The accounts wouldn’t have been able to be compromised unless the attacker had the password – something the user knows – and had the two-factor authentication device – something the user has such as a token or mobile phone.

relying solely on passwords leaves users’ accounts vulnerable, while mandatory two-factor authentication for every login or transaction brings cost, complexity and inconvenience. Risk-based authentication strikes a balance between the two, by selecting the appropriate authentication requirements for each session based on specific triggers that detect suspicious or unusual activity. During sign-in, users can establish the device as a trusted device. Subsequent login from that device doesn’t require secondary authentication. However, if the user logs in from a new device or engages in non-typical behavior or behavior that patterns fraudulent activity, a secondary authentication event will be triggered.

Set-up risk-based authentication

Communicate early and often

In the battle between security and convenience, there are perils at both extremes:

Companies that have been hacked need to quickly tell users that a breach oc-

curred, how it occurred and what the user needs to do. Be transparent about what data was compromised and what you are doing to remediate any issues found. Be transparent about your security. If you have salted (or double-salted) your users’ credentials, say that. Explain what this means in terms of how difficult it is for the bad guys to actually access your passwords. It’s a best practice to conduct a detailed post mortem. The way the Internet community gets better about security is by understanding what mistakes were made, embarrassing as they may be. In this technology-driven business environment there is potential for enormous opportunities – as well as significant risks. Just as companies buy insurance to cover fire or flood loss related to their buildings, organizations have to insure their most valuable asset: their data. And the best ways to protect data is following some commonsense best practices and learn from the companies that have been put through the fires.

Summer 2013

Contact, contactless or flesh? Human body replaces ‘wires’ to transmit ID data Jill Jaracz, Contributing Editor, AVISIAN Publications

Imagine accessing a secure area or service without fumbling for a card, swiping an ID badge or keying in a PIN. It is possible with new technologies that utilize the human body as the conduit to transmit the identification and authentication data. Thomas Zimmerman introduced this concept in a 1980 MIT thesis. One of the first technologies to utilize the concept in consumer applications is the BodyCom solution from Microchip Technology. “Fundamentally BodyCom is a short-range, low

data rate communication,” says Edward Dias, business development manager for security and authentication products in the MCUE division of Microchip. But here is where it gets interesting. It uses a coupling pad to charge the human body and a base unit similar to an automobile key fob that the user holds. When the user steps on the coupling pad the body is charged and the keyfob receives the power it needs to start. The fob – which can be kept in the individual’s pocket – is

BodyCom technology utilizes the human body as the element that transmits the authentication data to a physical access control reader. The BodyCom Development Kit aims to help engineers program, debug, and develop secure communication systems for access control or passive keyless entry.

Summer 2013

then authenticated and access is granted or denied. “It’s capacitive coupling like the way you would touch your iPhone or touch a screen,” Dias explains. BodyCom is similar to a passive keyless entry system – those that enable car doors to open without requiring the user to push a button on the fob – but this technology uses less energy because it’s not constantly pumping out an inductive field. The system uses the same 125-kilohertz technology that is common in proximity card systems for communication from the reader to the keyfob. The keyfob responds back using the eight-megahertz frequency. “We use different frequencies so they’re not colliding with each other. Eight megahertz is common in many of our microcontrollers,” says Dias. Microchip Technology offers a free software development kit to enabled manufacturers to develop applications to use the BodyCom technology as long as it’s used in conjunction with any of the company’s portfolio of more than 1,000 microcontrollers, explains Dias. The company uses two forms of technology with this type of system. The first requires a user to physically touch a sensor, says Dias. The second uses the mobile keyfob and a proximity scheme. “Proximity gives you the ability to take that mobile unit, and put in your pocket, backpack, purse, etc. As

long as it is within four or five inches of the body, it’s dialed in,” says Dias. How the system is being used can determine whether touch or proximity is the technology being employed. Health care is looking at the technology for access to surgical suites where touching anything would be bad. In this instance, a nurse or doctor would have a fob or card around their neck and the coupling pad could be laid in a floor mat in front of a doorway. “As you walk across the mat, that would actually capacitively couple and do the authentication with the key fob to open up the door. They wouldn’t have to touch anything so it keeps that hospital room sterile,” says Dias.

While Microchip Technology has designed the mobile unit as a key fob, it could come in a variety of forms, such as a typical card-sized badge or a button that hangs from a user’s keychain. “The difference here is it has to be managed by the application because the proximity works in direct correlation to the size of the coupling pad. The larger the coupling pad, the longer distance you would have,” says Dias. “And we see everything from the size of a quarter to a 12x12-inch pad.” The typical transmission rate for the authentication process on a system that doesn’t have a lot of built-in security is about 100 milliseconds, says Dias. “Once you start layering the rest of the software on there, if you want to increase layers of

encryption, then you start increasing the size of the data packet. That will slow it down, but you can also ramp up the microcontroller speed to accommodate that,” says Dias. The technology could be used in a variety of applications, says Dias, perhaps most commonly as a replacement for passive keyless entry to automobiles. Manufacturers can also potentially use BodyCom technology in home security systems; home or industrial door locks and even as personal safety and security for potentially dangerous items such as firearms or power tools. Dias gives the example of the technology being used with a battery-powered circular saw. When the owner pulls the trigger he would be authenticated and makes the cut. “I put it down, take my hand off it, turn my back, and I don’t have to worry about my ten-year-old son grabbing the saw and playing with it because he’s not paired up with it. It’s kind of enabling equipment and disabling it at the same time,” says Dias.

Summer 2013

CUSTOMERS WHO SAW HUMAN bODy COMMUNICATION AUTHENTICATION RESPONDED WITH SURPRISE TO SEE THE HANDS-FREE FUNCTIONALITy

Adding the technology to video game controllers could let players can take their controller to their friend’s home, touch the base station and have their own profile added to the system. It can also be used to lock someone out of playing with a user’s system, says Dias. Pets can also harness BodyCom technology as a means of getting through a pet door in a home. The pet can wear a tag, touch its nose to a pet door and be allowed access. “In Arizona, we have coyotes coming in through pet doors and taking pets. It could keep these unwanted pet criminals away,” says Dias.

OTHER TECHNOLOGIES USING THE bODy AS THE CHANNEL Whether or not BodyCom technology can establish a foothold in the authentication market remains unclear, but similar efforts by other companies have been met with skepticism and have struggled as a result. Konica Minolta developed its Body Area Network technology for use by companies that require users to log in to photocopy machine and printers in an effort to prevent information leaks. “The requirement of logging in with ID/Password each time

Summer 2013

is troublesome and time-wasting for users,” says Akiko Kaise, spokesperson for Konica Minolta. Konica Minolta partnered with Dai Nippon Printing in 2010 to develop the Body Area Network technology. Today it is working with Ad-Sol Nissin, which has a similar technology called Touchtag, to introduce the product into the market, explains Kaise. Konica Minolta has demonstrated its Body Area Network technology at trade shows as far back as 2010, and it’s continuing to develop this technology. “Almost all customers who saw human body communication authentication responded with surprise to see the actual hands-free authentication,” says Kaise. Still, manufacturers could face some resistance from consumers who don’t like the idea of electronic currents running through their body. “You’re never going to get everyone to agree that this is just fine,” says Dias. He believes that there will always be some contingent questioning the effects of this frequency or current going through their body. “Normally they’re asking this question while they have their mobile phone up to their head,” says Dias.

Dias says Microchip does get questions from the medical field on whether or not BodyCom technology would interfere with medical devices like pacemakers. The company has looked into this and compared BodyCom with the passive keyless entry market. “If you look at that application, just by comparison, our application typically would generate on a coupling pad somewhere on the order of 60 volts roughly. In a passive keyless entry system that you have on a variety of different automobiles today, that generates on the order of 600 volts,” says Dias. Some automotive manufacturers, such as Toyota, that integrate passive keyless entry systems do include warning labels in the car’s user manual for those who wear pacemakers. It will be up to the application developer to design a system that complies with the necessary FDA specifications, says Dias. Still, that’s not deterring developers from thinking of ways to bring BodyCom technology to the consumer. “When you talk to people, you just see their eyes light up. They start generating ideas of how it could be implemented. I think we’re just touching the surface of potential applications right now,” says Dias.

mobile App verifies first responders A gas leak in a high-rise building in a big city is certain to draw the attention of first responders – police, firemen, paramedics and utility workers. Making sure only those who are authorized to be on the scene are present can be a challenge. FEMA and other federal agencies have been working with state and local officials to propagate the First Responder Access Credential, a PIV-I smart card that would carry identity attributes of first responders and enable them to be verified at an emergency site. During drills and trials in the past, this verification required hardware designed for the first responder community, handhelds with smart card and biometric readers that connect to databases to verify attributes. The readers have been pricey and the U.S Department of Homeland Security has been trying to cut that cost by developing a standards-based application to validate first responders using smart phones. Homeland Security’s Science and Technology Directorate has been working on the app to enable officials to verify and track first responders arriving at a scene as well as exchange attributes to make sure they have the necessary training, says Karyn Higa-Smith, program manager for Identity Management and Data Privacy Research in the Cyber Security Division of Homeland Security’s Science and Technology Directorate.

The development is being conducted at the Homeland Security Identity Management Testbed, hosted at Johns Hopkins Applied Physics Lab. An app for the Android handset that uses a commercial, off-the-shelf Bluetooth smart card reader for smart phones is now being tested, HigaSmith says.

Organizations CONSIDERING MOBILE APP DEPLOYMENT State and local level: Virginia Southwest Texas Colorado Rhode Island Federal level: Parking lot security at the Social Security Administration Physical location security at the FAA Law Enforcement Flying Armed security (TSA)

It can read PIV and PIV-I credentials as well as Defense Department Common Access Cards. There have also been some discussions with seaports security to use the solution for reading Transportation Worker Identification Credentials. In the future, Homeland Security hopes to take advantage of handsets with near field communication built in. It’s possible

the handsets will provide an inclusive access control tool for the officials to be able to read, authenticate and verify authorization of the individuals without any additional reader, says Higa-Smith. As the use of both smart cards and smart phones increase, first responders are seeking solutions that leverage existing tools instead of purchasing new hardware to serve one purpose. There are a number of companies selling readers to verify the credentials but they are expensive. Using existing smart phones with this solution can bring the price down considerably and enable other uses. The standards-based solution has been tested with Chester County, Pa. and West Virginia, says Higa-Smith. FEMA is also using the Android app. Some of the jurisdictions have been using handhelds from a company that has since gone out of business, which is why the Science and Technology Directorate is seeking to provide the standards for multiple smart phone platforms. Higa-Smith is also meeting with Apple seeking to work with the Science and Technology directorate to develop a solution for iOS mobile products based on the standards. The app for Android is still under development but will be available as opensource, freeware on the app store this summer.

Summer 2013

Awards

AWARD-WINNING PKI PROJECTS STREAMLINE PROCESSES, INCREASE CONVENIENCE Andrew Hudson, contributing editor, Avisian Publications

PKI PKI is designed to be an efficient, information security technology that, among other uses, can help expand the global Internet trust network. Through the formation of cyber identities, PKI enables trusted electronic transactions for a variety of business, government and consumer uses. Additionally, PKI protects against identity fraud and eliminates slower and more expensive paper-based processes. Recently, the Four Bridges Forum recognized some of the most innovative uses of high assurance digital identity solutions in both the public and private sectors. Award nominations were open to the public and judged by a panel comprised of representatives from each of the participating Four Bridges Forum PKI bridges: the Federal Bridge Authority (Federal agencies), CertiPath (Industry, aerospace and defense), SAFE-BioPharma (Biopharmaceutical and health care) and the Research and Education Bridge Certification Authority (Education and research sectors).

Summer 2013

Innovation winner – MONITOR DYNAMICS TRUSTED FICAM PLATFORM PROVIDES PKI-BASED ACCESS CONTROL Monitor Dynamics’ Trusted FICAM Platform is a physical access control system designed to deliver trust by leveraging PKI-based identity credentials and PKI Bridge infrastructure. The FICAM Platform utilizes PKI credentials that meet the FIPS 201 federal standard. It is designed for users wishing to incorporate PIV, CAC and PIV-I with full validation support across both the Federal Bridge and CertiPath Bridge. It also supports locally validated credentials like CIV, FRAC and TWIC. CertiPath selected it as the test platform for certification of all PIV-I credential issuers. The Trusted FICAM Platform enables authorized credential holders to use a single enterprise-issued, digitally-certified smart card badge to gain physical access to buildings or facilities, and can use that same badge to securely log on to their personal workstation or laptop. The platform acts as the “lock” through which all users must pass, ensuring that their PIV-I credentials act as the “keys” – all while meeting the required identity and physical security requirements. In addition to the benefits that PKI-based credentials offer to physical access control systems, Monitor Dynamics also supports Bridge PKI that enables an organization to: Discern if the credential has been revoked in real time Know if the issuer or similar authority serving as the basis for trust in a credential has been revoked Accept a visitor’s own credentials and receive near real time status information of visitor’s current company affiliation The platform possesses a surveillance capability as well, combining intrusion detection, video surveillance and identity management into a centralized command and control dashboard with global management and reporting capabilities.

PKI

BUSINESS VALUE WINNER – U.S. GPO EDOCS SySTEM ENAbLES SIGNED ELECTRONIC SUbMISSIONS TO FEDERAL REGISTER The U.S. Government Printing Office is tasked with printing and disseminating both hard copy and electronic versions of the Federal Register – the official journal of the U.S. federal government. The Register is published daily, not including weekends and holidays, and contains all routine publications and public notices for the more than 1,500 disparate government agencies. By law, each document that appears in the Federal Register must carry with it an original and legally binding signature. Prior to 2006, Register documents could only be submitted on paper accompanied by a separate form containing a wet (ink) signature. In 2011, the Federal Register’s 248 issues contained nearly 33,000 distinct documents – the equivalent of 343,000 typed pages. The process of paper submissions and wet signatures had simply become overwhelming. Enter PKI. “GPO operates a Shared Service Provider PKI service which is available to GPO customers in all three branches of US federal government,” reveals John Hannan, chief information security officer for GPO. The transition began in 2006, with the introduction of electronic Register submissions – a process that saved the GPO considerable time and money. By 2011, GPO’s PKI electronic document submission system (eDOCS) was responsible for one third of all Register submissions. Federal agencies using eDOCS convert documents to PDF format, digitally sign them, and submit them to the Federal Register via email. “The digital signature is a unique code based upon the individual user’s private key and the electronic file to be signed,” explains Hannan. “A PKI digital signature is a very strong, fraud proof method of electronic signature that meets or exceeds all U.S. federal government e-signature requirements for official documents.”

The PKI service carries with it a number of benefits, particularly with regard to operational cost. “The costs associated with the traditional, paper-based submission process using ink on paper signatures can now be avoided. The submission can now be sent via email using a digitally-signed electronic file,” explains Hannan. By Hannan’s estimation, the PKI system pays off sooner rather than later. “Once an organization sends over five submissions in a year – the approximate break-even point – the costs of the PKI electronic submission method begin paying dividends,” says Hannan. “For organizations that send hundreds of these submissions per year or more, the savings can be significant.” Another benefit of eDOCS is the time needed to complete submissions. “The PKI solution enables for quicker turnaround times, meaning organizations have more time to prepare their submission before it would be due prior to publication,” explains Hannan. “It makes for more efficient and effective processing of the submission itself during the publication process.” To take part in the electronic submission process, agencies issue a medium assurance level digital certificate to personnel. This issuance requires an in-person identity-proofing process, either at GPO’s main office or through the participating agency’s Local Registration Authority. In addition to digitally signing files, the digital certificates can also be used for file encryption, email encryption and signing in Outlook email. These are utilities that Hannan believes will be vital for many Federal agencies moving forward. “The aspect of strengthening electronic transmission processes beyond simple password authentication is expected to become increasingly beneficial over time for U.S. federal government agencies,” says Hannan. “There are many examples of processes that could benefit from this type of solution.” The GPO’s PKI infrastructure has been cross-certified with the Federal Bridge Certification Authority since 2005 and has been a Shared Service Provider since 2007.

Summer 2013

PKI

Federation winner – DMDC JPAS system MIGRATES FROM PASSWORDS TO PKI

certificates, the unique value is the DOD Identifier, for PIV and other approved certificates, the unique value can be the Federal Agency Smart Credential Number or a unique value that has been The Joint Personnel Adjudication System (JPAS) made the transition amalgamated from the credential itself,” reveals Crawford-Grijalva. from the Defense Security Service to the Defense Manpower Data In the event that an external user’s unique identifier is not found Center (DMDC) in June 2010. Shortly following the transition, in JPAS – for example a first time user – the JPAS application will the compliance process began with the Joint Task Force-Global redirect to a self-registration screen where the user’s JPAS account Network Operations Tasking Order 07-15 – a mandate for Public can be linked with their certificate via an additional knowledgebased authentication factor. Key Infrastructure implementation for all Defense Department The DMDC is confident that the credentials. The primary challenge for the JPAS solution will provide a more usjump to PKI was the tens of thouer-friendly and secure authentication sands of users who utilize JPAS but What is JPAS? experience. “The primary benefit did not qualify to possess a Defense for the end user is that it eliminates The Joint Personnel Adjudication System (JPAS) is a Department-issued PKI credential. the need to remember and maintain consolidated Department of Defense database for The population includes more than username/passwords, while at the verifying and distributing security clearance for DOD 20,000 private sector users, extersame time increasing application personnel across agencies. security and privacy protection,” nal federal agency personnel and Spanning military, government and civilian personnel, explains Crawford-Grijalva. “Uscontractors. as well as industry contractors, JPAS creates an almost JPAS’ solution was to accept all ers no longer need to create a new real-time, single source for clearance-granting informaDefense Department approved hard15-character password with specific tion. Prior to JPAS, security clearance was monitored ware-based credentials at medium sets of uppercase/lowercase, numthrough an assortment of databases managed by numerous agencies. bers and special characters every 6 assurance levels. Moreover, JPAS’ months.” new system is compliant with USB JPAS is accessible through the Internet and enables tokens or smart cards, individual The benefits of the new system are submission of new clearance requests and updates to corporate-issued smartcards and penetrating other aspects of authenpersonal from virtually anywhere. Security managers PIV-I credentials. tication as well. An ancillary benefit can interact with clearance information and directly submit clearance requests to Central Adjudicating In January 2012, JPAS officially to the users who had not previously Facilities and other responsible agencies. removed its username/password held a PKI credential is that they can authentication method becoming use their certificates for digital signone of the first Defense Department ing of electronic forms or email mesWeb applications to accept approved external PKI credentials. sages and receiving encrypted email,” reveals Crawford-Grijalva. “When the JPAS application login is requested, the user’s cerWhile the solution is providing promising results already, the tificate information is provided to the JPAS application,” explains DMDC already has an eye on the horizon. “Several other Defense Autumn Crawford-Grijalva, project manager with DMDC. “JPAS applications have approached JPAS to assist in similar PKI soluthen conducts Certificate Policy Identifier filtering to ensure that tions for their web applications,” reveals Crawford-Grijalva. “The only FIPS 140-2 compliant hardware cryptographic modules are beIndustrial Security Facilities Database, Secure Web Fingerprint ing used, mitigating the risk of users sharing software credentials.” Transmission, Defense Central Index of Investigations and the The Defense Manpower Data Center has three specific methods Defense Contract Management Agency have all expressed interest.” to ensure proper identification across the various forms of approved The JPAS initiative is an extensive one, drawing expertise from credentials. “For Defense Department Common Access Card a wide range of both Federal and industry players.

Summer 2013

PKI

Collaboration winner - Cancer INSTITUTE Research processes accelerated with cloud-based PKI The National Cancer Institute integrated PKI-based, interoperable digital identities into its Cancer Therapy Evaluation Program. Through the use of PKI, the institute enables government and industry cancer researchers to accelerate the start-up phase of clinical trials by securely accessing, reviewing, signing and exchanging cloud-based documents. It is a pioneering use of interoperable digital identities that demonstrates how clinical trial initiation can be accelerated while simultaneously reducing costs. “Company researchers used digital identities acquired from a provider compliant with the PKI-based SAFE BioPharma standard and the U.S. Government’s Federal Bridge,” says Steven Friedman, chief of Clinical Trials Operations and Informatics at the institute. The solution cross-certifies SAFE BioPharma – the identity trust hub serving the biopharmaceutical and health care industries – along with the Federal Bridge, enabling each to trust the other’s credentials. Cancer Institute researchers participated in the first phase of a pilot study that tested the use of PKI-based interoperable digital identities and cloud-based digital signatures to eliminate reliance on paper forms in clinical trials.

The pilot study included researchers from both the National Cancer Institute’s Cancer Therapy Evaluation Program and BristolMyers Squibb. The Cancer Institute researchers were issued digital identities from the Federal Bridge while the Bristol-Myers Squibb participants received certificates from SAFE BioPharma. Cross-certification of the Federal Bridge and SAFE-BioPharma identities ensures interoperability, allowing the digital identities to be asserted by one and trusted by the other. Friedman explains that doctors and medical researchers are a busy and surprisingly mobile group, and the benefit of PKI is its ability to streamline their daily routine. “The new solution simplifies the user experience by expanding the number and kinds of devices that can be used for authenticating and signing,” explains Friedman. “Researchers are no longer tethered to the computer, they can now use their smart phone to authenticate to a site and electronically sign documents.” As with the Federal sector, legally binding signatures are a vital utility in health care. The pilot at NCI is further proof of this. “As more and more businesses and governments convert from paper operations to online services, they will benefit from trusted authentication, digital signing of electronic documents and above all the ability to assert a trusted identity,” says Friedman.

Summer 2013

Company tangos with biometric payments STARTUP BELIEVES IT CAN SUCCEED WHERE OTHERS HAVE FAILED Jill Jaracz, Contributing Editor, AVISIAN Publications

Five years ago, a trailblazer in the field of biometric payments crashed and burned. Pay By Touch wanted to change the way consumers paid for goods at the point of purchase, requiring only a fingerprint to authorize a transaction. The service fell short of mass consumer adoption, and the company – famously known for burning through money – closed abruptly after a six-year run. Now, a new startup is once again testing the waters of biometric payments. Can PayTango succeed in bringing biometric payments to the mainstream where its predecessor failed? PayTango is the brainchild of Christian Reyes, Brian Groudan, Kelly Lau-Kee and Umang Patel, four students from CarnegieMellon University. “We were working on a couple of different ideas to consolidate all the cards in your wallet into to one card,” says Patel, CEO of PayTango. “We ended up using biometrics because we realized that from an identity standpoint, it makes a lot more sense to identify the person and not just the card.” PayTango replaces the cards in a wallet by attaching a biometric factor to those accounts. “Anything you’d have a card for, we can store that data and associate it with your biometric,” says Patel. This includes payment cards, loyalty cards, student IDs and more.

Summer 2013

It takes about fifteen seconds for a consumer to register for the service at the POS terminal. “One of our big priorities was to make sure that it doesn’t hold up the line and is something that people can easily do,” says Patel. “The PayTango terminal basically takes your two fingerprints and then it associates them with any card data,” says Patel. To enroll in the system, a consumer touches two fingerprints to the fingerprint reader and then swipes the card they want to associate to those fingerprints. Then they input a third piece of information – currently a phone number – as an identifier, says Patel. Once enrolled, they no longer need the card. “We’ve developed technology to transmit that card data using the biometric input, so if it’s to a POS system or whatever’s on the other end, it receives the exact same input as it would otherwise,” says Patel. If a user’s credit card gets lost or stolen, he wouldn’t have to do anything special to deactivate the PayTango function. The user would report their card lost or stolen with the credit card company, and once that account is deactivated, the card will no longer work with PayTango. Upon receiving a new card, the user can re-register it at any PayTango terminal, says Patel.

The PayTango terminal is a plug-andplay device designed to work with current POS systems. Prototypes currently run about $1,000 per unit, says Patel, adding that the company is working on ways to bring down those costs. PayTango is in the pilot stage of testing its product. It conducted a closed pilot in February and then started a more open pilot on the campus of Carnegie-Mellon in late March. The second pilot took place at three locations on campus and was designed to work exclusively with student IDs that have meal plans attached. The company took a silent approach and installed the terminals without any formal promotion. “We stick a terminal there and see what people do with it,” says Patel. Within the first 10 days, the program registered 400 to 450 users and completed more than 2,000 transactions. “People are using it regularly and seem to like the product,” says Patel. Patel hoped that by the end of the semester, the product would reach some sort of critical mass. “That’s one of our big goals, to get that critical mass and show that biometrics is a viable solution for ID card systems and that it’s socially accepted.” Social acceptance of biometrics is another reason PayTango hopes that it will succeed where others have failed. “I think there’s a movement toward people valu-

“

ing convenience,” explains Patel. “You have all these emerging mobile technologies like Google Wallet. People are using them in for their convenience, so I think the timing is right at this point.” “When Pay By Touch started ten years ago the landscape was completely different,” he sasy. “People’s perception of technology and privacy was very different from what it is today.” He explains that Google and Facebook didn’t dominate consumer life as they do now and this has led to significant change. “Entry point is also important,” says Patel, noting that Pay By Touch started at supermarkets where there’s a wide range of consumers in all ages and they all have a different perception on privacy and security. “College campuses are more homogenous

We ended up using biometrics because we realized that from an identity standpoint, it makes a lot more sense to identify the person and not just the card

and liberal so you can get critical mass there,” says Patel. “There are a lot of small things that you can do right that will improve your chances of making something like this work and become really successful.” Still, PayTango’s success hinges on the willingness of consumers and merchants to use it as a form of payment, and currently they are satisfied with their plastic cards, says David Kaminsky, senior analyst at Mercator Advisory Group. Biometric payments may offer advantages in convenience and security, but Kaminsky doubts this will be enough.

Summer 2013

“Consumers and merchants aren’t begging for a more secure alternative to card based payments,” he says. “Our current system, although imperfect, is acceptably secure.” “Merchants are unlikely to invest in new hardware that supports biometrics, especially because fraud liability for card present transactions generally defaults to the card issuer,” explains Kaminsky. “Additionally, consumers are generally slow to change their habits when it comes to handling their finances – including making payments – unless they have a strong motivation to do so. Cards work well enough, so there is no such motivation among consumers.” PayTango’s initial plan is to start with universities like Carnegie-Mellon. It is in talks with others according to Patel. “From there we’ll probably cover access control. This makes sense early on, because we’re not really a payments company,” he says. “It’s really biometric identification as a service, providing infrastructure where you can unplug a card reader and plug in our biometric reader and everything works out of the box.” “Next year, we’re going to focus on very specific verticals to get that adoption – universities, gyms and a other places that would see very clear value in it,” says Patel. “We want to make biometrics a little more mainstream. Right now it’s primarily used for high security applications, but we see this as a better interaction and a way to do day-to-day things,” says Patel. “Ultimately,” he concludes, “it would be great if everyone had PayTango and could go from store to store paying with a fingerprint.” History, however, is against the upstart company. Still Patel has a strong sense that times have changed and the market may finally be ready for biometric payments.

Summer 2013

“

IT’S REALLy bIOMETRIC IDENTIFICATION AS A SERVICE, PROVIDING INFRASTRUCTURE WHERE yOU CAN UNPLUG A CARD READER AND PLUG IN OUR bIOMETRIC READER AND EVERyTHING WORKS OUT OF THE bOx

Text it. Tap it. Launch it.

OMG.

Take your campus card program mobile with CBORD®. • Access • Spending • Online Ordering • Account Management • Attendance Monitoring • And More!

CBORD 61 Brown Road Ithaca, NY 14850 607.257.2410 www.cbord.com Summer 2013

ImprovING ID Security BY Taking a Page from Passports Jeff Tingley, Senior Business Development Manager – North America, GET Group

Every day, incidents occur worldwide that show counterfeiters and other criminals are actively undermining attempts to establish secure networks for traveling across borders. In recent months, suspected terrorists have been found with fake passports in the Middle East, while the Ministry of External Affairs in Chennai, India, unveiled stringent security standards for passports to cut down on forging official documents. The threat of counterfeiting passports remains a burden for many countries but substantial improvements are being made throughout the world. These improvements in passport security are now being translated into ID card security, improving identification for a wide range of industries. Technology employed in cards includes ultra-violet printing, holographic images and a variety of sophisticated encoding techniques, but the first line of defense continues to be image quality and image duration. Levels of security have never been higher, yet many organizations continue to employ printing elements that are decades old and lag far behind their counterparts in the passport realm. From network authentication to corporate facility access, the first line of defense for many of today’s organizations is still the physical security of the identity credential, making the quality of the on-card image critical for visual identification and authentication. To meet the growing security demands of today’s sophisticated enterprise systems, cards need to adopt

Summer 2013

new technology, such as the forensic quality of 600dpi resolution and pigment ink. As countries around the globe embark on new initiatives to cut down on passport counterfeiting on a national scale, it’s time for IDs used in every industry – tourism, education, pharmaceuticals, manufacturing and more – to catch up. The money, time and expertise put into the systems that support security efforts can be undermined by neglecting the final piece – the physical card. A security system can be compromised if the credential’s physical security features don’t match the sophistication of the system. There is good news, however, as high levels of security can be built into physical cards at a cost that rivals that of older, less secure technology.

The new security standard is 600 DPI

hold uniquely cost-effective keys to improving security. Furthermore, by utilizing advanced printing technologies, these pieces can become much more than just identifiers, playing a significant role in card security. When produced in high-resolution formats, photos and text act as detailed differentiators that increase the difficulty of duplication or alteration of the card. Three hundred ‘dot per inch’ (DPI) images have long been the standard for identification and access control cards but organizations are increasingly confronted with the need for a higher level of instantly assured authentication. Greater physical and logistical security requirements, improved availability of data on-demand

6pt 300 dpi

For most enterprise identifica6pt 600 dpi tion, access control and other security applications, the physical security of the card has become an afterthought. Yet it is often the surface of the card that contains the most critical elements and the ability to include more and more for authentication: namely photos and text. of this data on cards have collided to create Like a passport, these two are the most an unprecedented need to easily verify common and oft-examined components of card validity. Lower-resolution imagery is a card, but they are too often overlooked struggling to meet this challenge. in the push to chip technologies, RFID New, passport-quality 600 DPI printing and more. While electronic data storage technologies can provide the answer with and protection technologies are critical, higher resolution capabilities than ever it is the simpler aspects of the card that before. 600 DPI printing provides crisper,

more true-to-life imagery that is substantially more difficult to alter or fabricate. The enhanced detail of logos, photos and text combine to deliver a higher quality card with a greater degree of protection against counterfeiting. Not only is it noticeably superior to the naked eye, but 600 DPI also provides precision of detail at the next level. 300 DPI-based content on lower quality cards will blur when viewed under a loop, obscuring finer details and making it harder to guarantee visual authentication. But 600 DPI preserves even the finest details that differentiate visual content. As a result, the ability to tamper with cards or forge them entirely is much easier with 300 DPI cards. The use of 600 DPI prevents surface alteration with blur-resistant detail and the use of more sophisticated printing techniques. Specifically, it enables organizations to use micro-text – a one-point font that is clearly visible even to the naked eye but impossible to create at 300 DPI. Micro-text is often captured on cards as a border or simple graphic element that appears at first glance to be a line. Upon closer inspection, however, the line is recognizable as distinct yet microscopic letters. Attempts to print micro-text at 300 DPI will simply yield a line, rather than actual words, so fraudulent cards can be immediately identified. Because 600 DPI printing options are available from a very small group of highend vendors, micro-text is a tremendous validation tool for organizations that depend on visual authentication of identification cards and their users. For employee access cards, smart IDs and many other corporate cards that contain personal information of a sensitive nature, this kind of security – features that make it significantly more difficult to steal or recreate – is critical to corporate security and data protection.

Print begins with ink

pigment

In order to fully maximize the power of 600dpi for card security, however, organizations must carefully consider another critical element of card production. Smart cards such as employee IDs, access control cards and other enterprise applications can only capitalize on high-resolution imagery if they are combined with ink that delivers longevity, integrity of color and resistance to chemical tools for alteration. Specifically, pigment ink provides the highest level of durability and superior color quality. This makes it is critical for delivering secure personalization. Pigment inks are long lasting and bind firmly to a variety of substrate materials to keep from degrading over time. This enables organizations to choose from a wide variety of card materials – including PVC, PET, polycarbonate and more – depending on application requirements, cost and other material concerns. Without limiting substrate options, institutions can build customized cards exactly to their specifications. More importantly, pigment inks maintain color fidelity on a variety of card materials regardless of the end-user’s environment. In contrast to more commonly used dye sublimation inks, they are UVresistant for the entire lifetime of the card and thus protect against color fading. Card elements will survive over time and remain

another dye

Original

after 100 hours

after 200 hours

unaffected by the common wear and tear that often gives way to tampering. This is particularly important for smart cards and employee IDs with multiple uses. Additionally, pigment inks are not affected by contact with chemicals, which means they are difficult to alter or damage without destroying the card material itself. Environmental factors such as light, moisture and exposure to dust have less of an effect on pigment inks than others, so they do not adversely impact the quality or longevity of the card. Again, this elevated threshold of durability is critical for enterprise IDs and cards that are used frequently. This is an important lesson learned from countries looking to fight back on forgeries of passport IDs.

Summer 2013

Edge-to-edge and dot-by-dot The full security potential of pigment inks and 600 DPI technologies is seen in the sharp images produced when combined with unique printing technologies such as dot-by-dot. While dye inks produce normal images that blur together when placed under a microscope or loop, pigment inks can be printed to display hundreds of thousands of individual dots that unite to form an incredibly detailed image. Only viewable under a loop, this technology not only helps security staff instantly identify the card as authentic but also creates an extremely crisp image that is not possible with other kinds of ink. The dot-by-dot technique is a highly sophisticated print method that enables organizations to not only secure their cards with detailed content, but also differentiate them from any imitators. Successfully combining high-resolution capabilities and superior ink to maximize security depends on choosing the right printing method for each card. Retransfer printing – more commonly known as highdefinition printing – is the most advanced technology available and ensures better quality by printing images onto a retransfer film rather than directly on to the card itself. The retransfer film bonds thermally to the card, ensuring image quality is not adversely affected by the substrate material and remains consistent across high volume production. This is especially important for smart cards that contain small irregularities in shape or surface due to the embedded chip or RFID technology. Retransfer printing also enables true edge-to-edge printing, which allows cards to feature text, graphics and holograms that extend to the very edges of the card. This feature is impossible with direct-tocard printing. It enables the creation of a tamper-resistant seal, which offers an increased level of visual authentication and enhanced security against reproduction or alteration. Retransfer printers that use a primer enable consistent quality of personalization

Summer 2013

New techniques such as 600 DPI printing, pigment inks, and holograms work alongside traditional security features to facilitate visual inspection

details on the card without risking peeling or sloppy surface coverage. For the most accurate and resistant films, organizations should consider card printing technologies that attach the image to the card with heat but also utilize a primer. This method enables for a primer-less area to be applied to the card, which keeps the area of a contact chip or magnetic stripe uncovered. The method is highly accurate, virtually invisible to the naked eye and is possible only with retransfer printing technology.

Conclusion The advantages of 600 DPI, pigment inks and edge-to-edge retransfer printing can

help increase efficiency and bolster card security for IDs, access control cards, bank cards and many other smart card applications. While most executives believe security is limited to chip technology, card printing technologies can work alongside sophisticated electronic features to bring security to the level demanded by the most sensitive applications. To truly exploit the value of RFID, biometrics and other technologies, next-generation solutions must be used in concert with sophisticated printing techniques to create a multi-layered solution for smart card personalization.

ChOOSING ThE rIGhT CArd PrINTEr rIBBON CAN SAVE BIG BUCkS gabriEl schonZEit, PrEsidEnt, idsEcurityonlinE.coM

Card printer ribbons are central components of any ID card program. They promise sharp, vivid ID cards for stunning employee or student badges. But the choice of a card printer ribbon can be confusing as it is not simply a question of color. In fact, it depends on the design of a badge and the user’s application. That is why some ribbons can prove to be far more cost-effective than others. To determine which one is right, users have to define precisely what will be printed and understand the options.

on the entire surface of the cards. A specific ribbon is available for each case. Most users purchase a standard YMCKO color ribbon to print their ID cards and badges and it does make sense for full color single-sided badges. In some cases, however, buying an YMCKO ribbon can be a waste of money.

IDENTIFyING A RIbbON For dye-sublimation card printers there are two major types of ribbons: monochrome and color. Monochrome ribbons are used to print single-color text or images on a blank or pre-printed card. Monochrome ribbons come in a variety of colors such as black, red, green and even gold and silver. Some manufacturers offer specialty ribbons such as scratch-off rolls, perfect for gift cards, calling cards or unique marketing actions. Color ribbons are divided into three to seven unique panels, each panel being designated by a letter. For example, a five-panel ribbon will be defined by a series of five letters. A standard color ribbon is a known as a YMCK or YMCKO ribbon. YMC refers to the three primary colors: yellow, magenta and cyan. The printer applies each panel one at a time to produce up to 16.7 million colors. The K panel is a black resin panel used for sharp lettering and bar codes. Some ribbons also come with an overlay panel (designated with an O or T) to apply a clear protective layer to the printed card.

COST-EFFECTIVE RIbbONS To find the right color ribbon, it is fundamental to decide on the design of the cards. Users have to determine if the cards will be single or dual-sided, and if color is required

Another interesting case is when color printing is not required over the entire surface of the card. Many ID cards feature a color photo with a logo, cardholder information and a bar code. For those applications, most users get a regular YMCKO ribbon without knowing that there is another solution that can significantly reduce the cost per card. Some manufacturers offer a half-panel color ribbon. With this type of ribbon, the yellow, magenta and cyan panels are half the size of the regular panels of an YMCKO ribbon. Up to half of the card can be printed in full color while black text or images can be printed anywhere on the card. This ribbon is ideal for student IDs or employee badges and also works great on pre-printed cards when only a picture, name or bar code needs to be added. A half-panel color ribbon allows twice the normal ribbon yield of a regular YMCKO ribbon, and is on average 45% cheaper. Users get more prints per roll at a much lower cost per card.

bUyING TIPS

For dual-sided badges, an YMCKO ribbon is the right choice only if the front and back of the card are both printed in full color. However, if the user’s application requires color on the front and black on the back, an YMCKO-K ribbon is much more costefficient. This ribbon is specifically designed for dual-sided card printers and includes an extra black panel that is used to personalize the back of the card. A typical application is an organization looking to print employee badges with a photo ID, text, logo and background on the front and the company’s contact information in black on the back.

Purchasers might get anxious at the idea of ordering a new type of ribbon but following a few easy rules will guarantee a smooth and successful experience. First, printer ribbons are specific to a printer brand and model so buyers should start by checking which ribbons are compatible with their printer. Another key factor is the number of cards that will be printed. Many manufacturers offer high-yield ribbons that double the number of cards per roll. Once the selection is done, it is recommended to call the retailer to check that the chosen reference is right for the card application. Users can also send their card design to their provider for complete peace of mind.

ADDITIONAL GUIDELINES Many users do not know that card printer ribbons typically carry a shelf life of one to two years. Beyond that time, the print quality might be degraded. Ribbons need to be stored properly to avoid excessive cold, heat, humidity and direct sunlight. They should never be stored near solvents or other chemicals. And remember, if a ribbon breaks do not discard it. It just has to be taped back together to print again.

Summer 2013

Fractional Identity An ALTERNATIVE TO NSTIC, FEDERATED IDENTITY MODELS George Peabody, Glenbrook Partners & Stephen Wilson, Lockstep Consulting

Despite laudable goals, the National Strategy for Trusted Identities in Cyberspace’s identity framework demands a discontinuous leap beyond both what’s needed and achievable for improving online transaction reliability, security, and risk. A lighter touch approach, characterized by context-specific fractional identity, can provide needed authentication and identity services without the legal complexities posed by the wholly novel outsourcing of liability of the NSTIC design. Trust, that essential attribute of a relationship, is based upon identity and the experience all parties gain as they transact. While in-person identity is reasonably certain, it is especially difficult to establish in the online environment. As online devices increasingly figure in bricks-and-mortar transactions, the transaction domains blur. To bridge that gap, a number of approaches have been taken, the most recent of which is federated identity as exemplified by the White House’s National Strategy for Trusted Identity in Cyberspace and its cousin, the Open Identity Exchange model of an attribute exchange network. This entirely

Summer 2013

new approach that injects the new attribute exchange network into every transaction has, on the face of it, strong appeal. What makes more sense than a passport to cyberspace? But, on closer inspection, it fails for a number of reasons. This article begins with a critical examination of the online identity exchange concept as currently proposed. It continues with a discussion of several evolutionary and implementable models based on existing bilateral trust relationships. These alternative approaches should provide workable identity services while testing both needed infrastructure components and the need

for an attribute exchange network-scale identity über-framework.

Problematic Federation The Open Identity Exchange’s purpose is laudable. No one doubts the online world badly needs stronger, more consistent and uniform identity mechanisms – coupled with stronger authentication – to curb fraud, speed web site access and enable higher value, higher risk transactions. The Open Identity Exchange’s stated development goal is to build “Agreements between all parties (that) contractually enforce the business, legal, technology, policy, certification and audit aspects of the Trust Framework, which are established and managed by a Trust Framework Provider via an Attribute Exchange Network.” This describes the complexity of the task. It will take a decade or more of legal development, negotiation, tuning, and, critically, case law to establish itself. Despite the questionable history of federated architectures, the Open Identity Exchange approach presupposes that its

How is Fractional Identity different from federated identity? The core idea is that the semantics and business rules around component attributes are simpler than for abstract identities. I might be “Steve Wilson” at a bank, and “Steve Wilson” at my employer, but the ‘fine print’ in my respective relationships makes it impossible for either organization to rely 100% on the other’s identification of me. The handles look the same but they mean different things in different contexts. This proposal works at the lower level of attributes, like name, address, date of birth, citizenship, etc. These properties on their own do not constitute identities and the liability that goes with proving their factual correctness is very simple. The fractional identity model leaves Relying Parties free to put attributes together as they see fit, to perform identification from one context to another. At the technology and identity management protocol level, fractional identity does indeed look a lot like identity federation, so the model enables services and developers to re-use most of what’s come before. But fractional identity greatly simplifies things at the business rule level.

framework is an ideal end state well before it has been subjected to the selective pressures of the marketplace. The model changes elegant, time-honored bilateral arrangements between relying parties and subjects, instead pushing complex and novel trilateral arrangements between relying parties, subjects, and identity providers. The notion of the attribute exchange network, like all federation architectures, presumes a real time stranger-to-stranger – or context free – identity negotiation for every fresh transaction. In fact, in the vast majority of economically important transactions, the context is already in place and the appropriate credentials can be specified when the rules for a scheme or entire business sector are drawn up, well in advance of the parties ever meeting.

Federation is Astonishingly Hard Another, historically fatal concern for the Attribute Exchange Network concept is how it underestimates the barrier to entry created by its complexity. As an approach,

the Open Identity Exchange purports to support straightforward integration at low cost. The Attribute Exchange Network document itself states that its “one to many relationship model … reduces barriers to entry in the Identity Ecosystem.” Based on prior history, this may not be the case if participants find it challenging and legally complex to come to grips with new one-to-many arrangements. If firmly established bilateral arrangements are eschewed, the total cost of implementation is greatly increased by the legal work needed to address liability concerns. Market development for such a service is challenging for the important merchant cadre of relying parties. In a study conducted by the Merchant Risk Council on the value proposition of universal authentication, major e-commerce merchants raised a number of concerns, including: The high cost of implementation, when compared to more pressing business optimization efforts, would be unjustifiable until a critical mass of consumers were enrolled

The outsourcing of liability to an unproven third-party platform, performing a technically and legally untested role, was met with considerable skepticism. From this point of view, why should routine transactions need to invoke a third party in real time to negotiate, on their behalf, the required set of attributes when they are already satisfied through existing relationships and agreements? While federation promises less friction for new customers, it’s an illusion when the implicit complexity of the new arrangements is so novel, it cannot even be quantified.

Fractional Identity Humans exercise different identities in different contexts. In business, personal and family settings, we behave and engage with others in distinct ways. What this means in the digital world is we disclose different identity elements to different parties. It all depends on what we need to know about someone to be able to transact with them.

Summer 2013

DEFINING THE Attribute Bus An Attribute Bus is a set of Application Programming Interfaces for exchanging information about identity assertions. Authoritative sources of truth provide standardized responses to queries from relying parties about given attributes; the responses can be in the form of privacyprotective binary – yes/no – or they can provide a measure of confidence in the accuracy of a bundle of attributes. Attribute Providers feeding into the bus will include government registries, license authorities, professional associations, employers, financial institutions, credit ratings agencies, and business intelligence brokers. The attribute brokering business will be made contestable through the bus, with different providers offering to verify various ensembles of attributes, and bundling other e-services.

For instance, a merchant may not need to know much more about you than your credit card number. Conversely consumers know which payment card they prefer to use and at which shop. Similarly, if you’re at a health care site, the server wants your health plan identifier; if you’re at a liquor store, the clerk wants your anonymous proof-of-age and your money. In each case, only a fraction of one’s “identity” is needed to legitimize a transaction and the context – encompassing physical location, virtual location, or even the software you’re running – determines which identity fraction exactly matters. In cold hard reality, relying parties set the rules of transaction engagement, because they bear most of the risks of misidentification. For example, if you’re a doctor logging onto an e-prescribing site, you must have a medical certificate or you don’t get in. A merchant may opt not to accept American Express cards. That’s non-negotiable for the customer because it’s the relying party’s prerogative to set the rules. In each case, well-understood identity assertions are in play. Therefore, we propose a re-orientation toward more achievable initiatives based on the concept of “fractional identity,” a context-specific approach that encourages broader usage of existing

Summer 2013

identity elements for use cases with broadly similar risk profiles. Fractional identity recognizes the utility of the many elements we have today and leaves the heavy lifting of credentialing in the hands of those already doing it – financial institutions, federal and state agencies, health care providers, etc. We would encourage use case expansion via natural financial incentives. We’re advocating minimal change to the current bilateral relationships because stepping up to a multilateral exchange is such a huge change. Most business IDs today are issued by relying parties for use in closed arrangements. The closed nature of these approaches confers resilience and utility, provided authentication methods are not confused. Rather than forcing all participants to confront, individually, the legal hairball of outsourced liability, fractional identity lets participants carefully unpack what assertions are implicit in today’s “identities” and assemble useful attribute sets instead. With granular access to the authentication signals involved with a given transaction, relying parties remain in control, rejecting signals with uncertain provenance or inadequate strength, such as a software-based

authentication token when relying party policies demand hardware. To tackle the problem of redundant identities, we advocate for component claims, attributes, and data signals to be shared. If an organization knows something specific about me, my delivery address for example, as a result of them “identifying” me, then that organization can vouch for that signal to other relying parties. And get paid for it. Across this attribute “bus” relying parties are able to acquire the signals required for the transaction. Financial institutions, state and federal governments, health care organizations, insurers and others are natural providers of these signals. There is going to be just one natural authority for assertions like driver license number or health ID; others might be provided by brokers or intermediaries, in the same way as financial metrics based on raw registry data are packaged, valueadded and resold. Moving organizations into this new line of business – and it is a business – is the hard part. Financial institutions are not yet viewing their “know your clients” records as assets with ROI potential. Unlike data-centric, cloud-based approaches with their inherent privacy concerns, a lightweight service enables the relying party to interrogate the attribute provider through the service via simple yes/no queries. Is this Steve’s shipping address? Is this card credential associated with George’s bank account? Notice that this model does not require the outsourcing of trust relationships or risk. Nor does it require personal data to be centralized by an identity service. Instead it leaves relying parties free to construct

DEfINING fRACTIONAL IDENTITY identities for their customers and partners from different signals relevant to them. From here, it is possible to construct a subject-centric model where individuals are able to manage and release their personally identifiable information on a permission basis as opposed to leaving its use up to the business purposes of a central provider.

MAJOR qUESTIONS REMAIN Even the simple expansion of authentication services is nothing simple. The marketplace is just beginning its exploration of the economic incentives required to encourage behavior change, and new business exploration, by financial institutions and other candidate attribute providers. Other questions include: Can a heterogeneous approach evolve in the face of the data-driven identity monocultures envisioned and managed by the largest Internet properties? Will consumers be willing to have packets of their Personally Identifiable Information traded as authentication signals, explicitly, in exchange for services from the internet giants? Will consumers be willing to shift from today’s opaque, one-sided bargain for Personally Identifiable Information to a transparent negotiation? What is certain is that there is room for improvement between today’s hard-edged closed approaches and the Open Identity Exchange über framework. Evolution of closed approaches into new application niches is certainly more achievable than

the construction of an entirely novel ecosystem. Attribute services, strengthened by creative use of authentication based on dynamic data, represent an evolutionary step that cannot be skipped in the far more risky, and expensive, pursuit of a complex framework. At the very least, what is achievable in the next five years will do two things. It will provide new levels of privacy and security while opening up new markets for attribute exchange. As important, it will inform decision making for the next round of security infrastructure investment.

Federated identity efforts have long tried to share abstract identities across organizational boundaries. The trouble is that the way you are known in one context is not exactly the same as in any other context. Subtle variations in risk and relationship management create untold complexities. On the other hand, the elemental identity assertions that go to make up identities – given names, addresses, ID numbers and so on – do tend to have the same meaning across multiple settings. Therefore we propose “fractionating” identities into different component attributes and federating those.

AbOUT THE AUTHORS

George Peabody is a payments industry consultant with Glenbrook Partners focused on digital identity, mobile commerce, and payment security. George brings 10 years in payments technology and 25 years in IT and entrepreneurial management to help clients with strategy and market development. George is also a Certified Smart Card Industry Professional / Payments (CSCIP/P).

Stephen Wilson is principal at Lockstep Consulting, providing advice in all aspects of identity management. For the past 17 years he has helped organizations in government, health care and banking throughout the Asia Pacific establish authentication systems including Australia’s emerging national authentication frameworks, including the Gatekeeper PKI, the National Smart card Framework, the National Electronic Authentication Council and the Law Reform Commission’s Emerging Technology Advisory Committee.

Summer 2013

PROVISIONING PHYSICAL ACCESS CREDENTIALS TO MOBILE PHONES TRUSTED SERVICE MANAGERS KEY TO ENTERPRISE DEPLOYMENT Jill Jaracz, contributing editor, Avisian Publications

With NFC technology making its way to mobile phones and tablets, companies are looking for ways to leverage its power to simplify business processes. Much of the focus centers on the use of phones for financial transactions, but it’s also possible to put access control credentials onto the secure element so employees can use their handsets as corporate ID badges to gain physical access to buildings. But putting credentials onto handsets is a complicated process and few companies are equipped to undertake it on their own. Thus, the concept of the trusted service manager (TSM) evolved to help organizations provision data on the chips.

Summer 2013

TSMs came about in 2007 when the Global System for Mobile Communications pioneered the concept to enable NFC service adoption. The TSM was designed to be an independent entity serving mobile network operators and account-issuing entities such as banks, card associations, transit authorities, merchants and marketing companies, says Deb Spitler, vice president, mobile access solutions at HID Global Corp. “The TSM’s core function is to securely distribute, provision and manage the lifecycle of NFC applications to the mobile network operator’s customer base on behalf of service providers,” says Spitler. “They

do this through mobile network operator management, over-the-air provisioning or handset wallet management.” “TSMs are considered to be an important element for provisioning applications to NFC-enabled phones, because they can handle the special requirements of managing personal information in a data environment that conforms to payment industry security protocols,” says Spitler. TSMs help make sure that no weaknesses are introduced into the chain from the enterprise or company side. “You need a TSM is primarily so that you can control what goes on and what keys and credentials are then put onto the mobile phone’s

secure element,” says Amol Deshmukh, director of solution sales for mobile and financial services North America at Gemalto. The TSM offers companies the best available security as well as provide the ability to control credentials and change them as needs evolve or users leave. “[It’s] very similar to what you control when issuing traditional access cards,” says Deshmukh. When a ompany hires a TSM, it should understand what type of interaction to expect. The TSM would likely have a Web portal that a security administrator uses to administer and manage credentials to mobile devices, says Spitler. Another variation to hiring a TSM is bringing that role in-house by licensing a platform. Whether in-house or as a service, a TSM should be able to load the ID ap-

plication onto any phones the enterprise wants to support, says David Worthington, principal consultant, Payments & Chip Technology at Bell ID. TSMs typically do not get involved in the transaction process. In the case of physical access, it does not verify that the credential is in the hands of the right user or whether the door should be opened. “In a nutshell a TSM is a provisioning system, not a transaction system,” says Deshmukh. Even if an organization has a TSM, it still can be a challenge to get credentials on handsets. “Having the TSM doesn’t mean you have rights over the keys inside the phone. You still have to negotiate and get access to the keys,” says Jason Hart, executive vice president of cloud and identity solutions at Identive.

“They need to have relationships with all the different carriers, not just those within your geographic market,” explains Hart. “In the case of a global company, they’d need access and relationships with carriers and vendors all over the world.” The issue of who has rights to access the secure element continues to exist. In many cases, the carriers control one secure element and the handset manufacturer another. Making sure that the enterprise-hired TSM can place credentials in one or both of the secure elements is an issue to address, Hart says. Using a TSM to provision security credentials is an evolving trend, but the future of NFC in physical and logical access depends on this crucial link that controls over the air rights to the secure element.

Obstacles to NFC’S USE FOR physical access control It’s going to be a while before the smart phone replaces the traditional corporate credential, says Jason Hart, executive vice president of cloud and identity solutions at Identive. “What we’ve begun to see is subpopulations within an overall corporate population that want the flexibility and convenience of having a portable device,” Hart explains. “So people will still have their company ID badge, but we see the mobile phone as an augmentation of the card – or as an alternative.” The replacement time of phones could be a factor in implementing NFC access credentials. Due to phone contracts, it could be 18 months or longer before people are able to get new phones with NFC, says Worthington. “Not everybody will have a phone that supports it. Does this mean I give out NFC stickers to stick on the back of their old phone, so they can still basically wave their phone [for access] same as everybody else?” says Worthington. Companies may also have to determine whether they only want to deal with a specific type of phone, that is only Android devices or those with some sort of fixed certification or a controlled environment, says Worthington.

Summer 2013

BIOmETrIC frAUdSTErS:

TEChNOlOGy BrEEdS NEW BrANd Of OUTlAW andrEw hudson, contributing Editor, avisian Publications

In the words of the famous Wild West outlaw Doc Holliday, “Why should I obtain by force that which I can obtain by cheating?” The use of biometrics to authenticate and verify identity is growing, and as the number of uses both personal and professional increases, so too do the number of biometric modalities. While biometric technology promises to provide a more secure, robust means of authentication, it is by no means impenetrable and a new breed of criminal is already lurking in the shadows. A recent Accenture report entitled “Beating the Biometric Fraudster” reveals that no biometric modality is immune to attack. Established technologies such as fingerprint, voice and face are all subject

Summer 2013

to assault. And newer modalities, yet to be battle tested, provide opportunities for the biometric fraudster to exploit chinks in the technology’s armor. The report’s author Alastair Partington, Identity Domain lead at Accenture, reveals that spoofing – the fraudulent attempt to fool a biometric system with fake biometric data – is possible across the gamut of modalities. “Accenture has reviewed state-of-theart biometric modalities and discovered that they can all be spoofed to a certain extent,” says Partington. “While fingerprint, face and voice systems are most commonly spoofed; even iris, vein and DNA-based systems can be compromised with the right knowledge, techniques and tools.”

THE GOAL OF THE bIOMETRIC FRAUDSTER Accenture focused its research on capture-time attacks. Also used by ATM skimmers, these attacks present specific challenges. “At capture-time, biometric fraudsters typically attempt two kinds of attacks – impersonation and obfuscation,” explains Partington. The first method of biometric fraud, impersonation, sees the imposter attempt to be incorrectly recognized as a different, legitimate user. Obfuscation, on the other hand, occurs when a user manipulates his or her biometric traits to avoid recognition altogether.

IMPERSONATION The history of impersonation attacks is long, and as Partington explains, perpetrators can come in many forms. In a classic example of impersonation, a South Korean woman was deported from Japan in July 2007 after illegally residing in Nagano and working as a bar hostess. She was ordered not to re-

the fingerprint scanner, she was able to successfully fool the system. In a more bizarre attempt at impersonation, Brazilian doctor Thauane Nunes Ferreira was convicted of clocking in absentee co-workers by defrauding fingerprint scanners, which served as time clocks at the hospital where she worked – using a bag of silicone fingers. The woman was found with six fake sili-

much earlier, in 2005, as he was still limping badly near the Nogales border crossing in Mexico. More extreme is the story of Edgardo Tirado, who was arrested by Lawrence, Mass. Police for drug detention. Upon arrest, officers noticed rows of thick stitches on the tips of his fingers and thumbs. Edgardo Tirado turned out to be Gerald Perez, and the stitches were

There is no ‘silver bullet’ solution to the challenges presented by biometric fraud. No one prevention technique is suﬃcient, as each type of anti-fraud test can be surmounted with the appropriate capabilities. enter Japan for five years following her deportation but immigration officials in Tokyo found the woman in Nagano a year later. The Japanese government discovered that the woman had managed to spoof a million-dollar fingerprint-scanning system at the Tokyo International airport using little more than a piece of tape stuck to her finger. The woman had repeatedly entered Japan using the same trick. The airport scanner cross checks passengers’ prints against a database of registered criminals and individuals with deportation records. Along with the aid of a black market broker, the Korean woman used a fake passport and tape with another individual’s fingerprint. By placing her tape-covered finger to

con fingers each bearing the fingerprints of her co-workers. Dubbed “ghost workers,” police investigations revealed that nearly 300 employees had been receiving pay without going to work.

ObFUSCATION Equally troubling are the reports of attempted obfuscation. In 2007 Dr. Jose L. Covarrubias, a U.S. citizen and plastic surgeon, was arrested after replacing the fingerprints of an alleged drug dealer with skin from the bottom of his own feet. Authorities reported that Dr. Covarrubias had been paid $20,000 to perform the surgery that aimed to help the drug dealer avoid arrest. The drug dealer was apprehended

part of a procedure he had performed in the Dominican Republic to obliterate his fingerprints, making him impossible to identify through normal law enforcement means. An officer who had dealt with Perez before was the only one able to identify the fraudster. Apparently many criminals travel to the Dominican Republic to have this procedure performed – a cash procedure that costs from $1,000 to $7,000. At least six similar cases have been reported in the past two years. Once the fingerprints are obliterated, the criminal needs only new ID documents, a birth certificate and Social Security card. While these cases may seem far-fetched or downright comical, one troubling fact remains; they represent only those actually caught in the act.

Summer 2013

bIOMETRIC THEFT While impersonation and obfuscation are the primary methods employed by biometric fraudsters, they are not the only means of attack. Another class of biometric fraud involves the theft of biometric data. “This is generally more effectively achieved through classical IT cracking rather than sensor-time attacks,” says Partington. “In any case, the criminal use of stolen biometric credentials will often involve a subsequent impersonation attack.” Partington suggests that this new breed of identity fraud

Partington prescribes a three-pronged defense to help organizations implement the proper biometric system and precautionary measures. “Consider the business purpose of the system and the exposure it has to the outside world,” says Partington. “These factors determine risk and required fraud detection capabilities.” Partington describes it as a trade-off. “Anti-spoofing measures typically decrease user convenience, as they can generate false alerts on genuine users. They should therefore only be applied when high levels of security are genuinely required,” he explains.

fraudsters must be presented with a series of varied and unpredictable barriers, making their job considerably more challenging – and impossible to systemize

is the product of an ever-evolving authentication technology market. “Rather than significant changes in the types of fraud anticipated, we would point to a decreased barrier to entry for criminals wishing to attempt biometric frauds,” says Partington. “This is enabled by the same technology advances – and cost reductions – that has driven the global uptake of biometric systems.” Ironically, biometric evolution and advances in technology overall, may prove detrimental to system security. “Biometric fraudsters can now readily access the technologies needed to tamper with biometric documents, create spoofs, and test their results – all from the comfort of their own homes,” says Partington.

PREVENTATIVE MEASURES The arsenal of attacking options at the fraudster’s fingertips begs the question, what is being done to prevent fraudulent biometric attacks? Partington suggests a pragmatic approach to biometric fraud detection. “It’s a complex subject, with many factors to be taken into account, such as potential increased cost and complexity of the solution, a possible dependency on specific hardware or software components and the anticipated impact of anti-fraud measures on user convenience.”

Summer 2013

“There is no ‘silver bullet’ solution to the challenges presented by biometric fraud,” says Partington. “No one prevention technique is sufficient, as each type of anti-fraud test can be surmounted with the appropriate capabilities.”

MULTI-MODAL, HOLISTIC APPROACHES SHOW PROMISE One approach that has gained momentum is the use of multimodal biometrics, or the blending of more than one method of biometric authentication. Partington explains that though this approach is a step in the right direction but it can’t act as a stand-alone solution. “Multi-modality is a helpful approach, but it is far from being a sufficient countermeasure on its own,” says Partington. “Defense-in-depth is key – fraudsters must be presented with a series of varied and unpredictable barriers, making their job considerably more challenging – and impossible to systemize.” “Organizations need to adopt a holistic approach; one that integrates robust and innovative biometric fraud detection along with more traditional IT security techniques and processes,” he concludes.

fACE rECOGNITION fAIlS IN BOSTON ATTEMPTS TO ID bOMbERS FALLS SHORT bUT TECHNOLOGy SUCCEEDING IN MANy JURISDICTIONS

The procedural crime drama on television will show a technician taking grainy surveillance camera footage, enhancing it, running it through a facial recognition database and coming up with a match in seconds. As with many things in Hollywood, this isn’t really how it works. Media reports after the Boston Marathon bombing were critical of facial recognition technology because it didn’t help catch the two suspects despite plenty of photos and possible images in law enforcement databases that they could be matched against. After the Sept. 11, 2001 terrorist attacks, grainy footage of hijackers going through airport security were shown on news reports. At the time, some vendors hyped facial recognition, saying it would have been able to find and stop the perpetrators from boarding the planes. Those claims were exaggerated. That same year, high-profile trials of the technology at the Super Bowl and again in a crimeplagued area in Tampa, Fla. demonstrated that the technology was not up to the task. Since then, however, facial recognition has made significant strides and applications of the technology have increased. Google and Facebook use it to help identify people on social networking sites. Android phone users have the option of enabling the modality to unlock handsets. Thirty-five state driver license-issuing agencies use facial biometrics to authenticate the identity of existing document holders and make sure that individuals don’t have more than one license under different names. The technology is also more accurate, with a 2011 National Institute of Standards and Technology test demonstrating a .01% error rate with ideal images. But this concept of ideal images is where facial recognition can get tricky. The perfect enrollment image – and the subsequent test or probe image – would be a driver license or passport photo. Probe images might not have to be as good, but the better the image the better the results. “The bottom line is that if you have a quality image to match against a quality enrollment you will have a high

probability of a match,” says Jim Albers, senior vice president for Government Operations at MorphoTrust. Mobile and social networking applications aside, facial recognition will play a key role in law enforcement as a forensic technology similar to fingerprints, Albers says. “After the event there is an opportunity to go through videos or still images and do face recognition as a forensic,” he says. The technology may not have proven useful in the Boston Marathon case, but it can still help in other situations. “The images in that case were from a camera with a very slow frame rate and weren’t good enough to get a probe image,” Albers explains. Also, while it’s been reported that the older brother had previously been a person of interest, it’s not known whether photos of the brothers were in any law enforcement database to search against. In the past 12-years, photo databases have increased but law enforcement still needs quality enrollment images for the technology to work. Facial recognition is likely to become more prevalent, especially as surveillance cameras are upgraded and able to gather better quality images, Albers says. But the likelihood of being able to spot an individual in a group is still a ways off. “We’re not there yet, the technology can’t scan a crowd and pick out a bad guy,” he adds.

a sampling of successful facial recognition deployments In February, authorities in New Jersey arrested 38 people in Operation Facial Scrub. The list included five sex offenders and 29 people who, despite having suspended licenses, obtained fraudulent licenses. Of these, some had multiple DUI offenses and even used their false identities to obtain commercial driver licenses to operate trucks or buses. In March, the State of New York announced it had investigated 13,000 possible cases of identity fraud in the three years since facial recognition technology was implemented by the Department of Motor Vehicles, resulting in more than 2,500 arrests. The State of South Carolina uses facial recognition technology to help local law enforcement agencies identify and arrest suspects in cases involving shootings, murder, prison gang smuggling and more. Pinellas County, Florida, has solved hundreds of cases – including bank robbery and armed robbery – by running suspect photos through facial recognition software.

Summer 2013

DMV

Virginia launching STATEWIDE authentication System USES DMV data to verify Medicaid recipients When it comes to state services, a typical resident has some identity attributes with the Department of Revenue, some with the Department of Motor Vehicles and still others with various agencies such as the Department of Natural Resources. Moreover, if the resident uses Medicaid there’s attribute information stored there as well. For the past few years, there’s been discussion around consolidating the different state identity silos into one. The Commonwealth of Virginia is taking the first steps with a pilot program between the Department of Motor Vehicles and the Department of Medical Assistance Services. Virginia is creating the Commonwealth Authentication System that will verify a Medicaid recipient’s identity using data from the Department of Motor Vehicles, explains Dave Burhop, deputy

Summer 2013

commissioner and CIO with the Virginia DMV. In the future this system could be used by other state agencies to verify identification information as well. The impetus for the system was the Affordable Care Act, which will see 240,000 more Virginia residents using Medicaid, Burhop says. The goal was to ease enrollment into the system while also reducing fraud. The Virginia Department of Medical Assistance Services, which administers Medicaid in the commonwealth, reached out to the DMV to see if they could help make sure residents are whom they claim. “We provide data to the Virginia Information Technology Agency and they take it and combine with the Department of Medical Assistance Services,” Burhop explains. From that point, Medicaid

administrators can review the applicant’s information and verify their identity. The DMV will be providing the data, but it won’t have access to any Medicaid recipient information. The system will provide identity-vetting information for administrators and it will also provide citizen-facing functionality, says Mike Farnsworth, project manager for the Commonwealth Authentication System with the Virginia DMV. Instead of having to fill out and deliver or fax paper forms, the new system enables online enrollment. The individual will open an account that will take them through enrollment in the Commonwealth Authentication System, says Burhop. The system will vet the individual using the driver license data to confirm identity. He is now able to apply for Medicaid benefits. After filling out the required forms, the system will automatically perform the eligibility checks and make sure the data is forwarded to the proper caseworker. Previously, the system was paper-based and required caseworkers to go through each file to determine eligibility. “Then they would call the eligible person and have them come into the office, provide an ID and go through the process,” Burhop says. That won’t be necessary with the new system, expected to go live this summer. While the system is starting out with the Virginia Department of Medical Assistance Services, it could eventually roll out to other state agencies as well. “As we onboard more agencies the Commonwealth Authentication Service will become more valuable,” he explains. “We can provide a service that ensures they are who they claim to be.” Funding for this portion of the Commonwealth Authentication System comes from The Centers for Medicare and Medicaid Service, an agency within the Department of Health and Human Services.

State CIOs push for SICAM The vision of having one identity that can be used across all state agencies is one that’s been championed by the National Association of State CIOs (NASCIO). The association released The State Identity Credential and Access Management (SICAM) Guidance in late 2012 in order to help jurisdictions that want to consolidate identity silos. The road map is made up of the programs, processes, technologies and personnel used to create a trusted digital identity environment. This guidance promotes a federated approach where the identification of the requester and supplier are guaranteed. The SICAM architecture enables states and their partners to share and audit identification, authentication and authorization across state enterprises. Using an enterprise approach can reduce administrative and technological overhead caused by siloed, incompatible and un-auditable identity management systems;

lead to improved business processes and efficiencies; and reduce cyber security risks. The document aims to mirror the Federal Identity Credential and Access Management guidance, or FICAM, used by federal agencies. NASCIO has been working on this document and contemplating ways to issue one identity to citizens that could be used for multiple purposes, such as driver licenses, Medicaid and various utilities. Virginia’s project is a first step in starting a SICAM architecture, says Chad Grant, senior policy analyst with NASCIO. “It’s a great example of how states are looking across agency lines to get rid of the silos and use identity for multiple groups,” he adds.

Virginia tests waters via NSTIC pilot State driver license issuers are a natural fit for SICAM and the American Association of Motor Vehicle Administrators is on board with the architecture, says Grant. AAMVA and Virginia were awarded funds to pilot secure electronic identities with the National Strategy for Trusted Identities in Cyberspace. The $1.6 million pilot includes the Commonwealth of Virginia Department of Motor Vehicles, Biometric Signature ID, CA Technologies, Microsoft and AT&T. The Commonwealth Authentication System and the NSTIC pilot are separate now, Farnsworth says. “We’re seeing how the attributes associated with our data can produce a strong credential in the electronic identification ecosystem,” he explains. The two projects also have different delivery times. The Medicaid component of the Commonwealth Authentication System needs to be completed quickly while the pilot for the national strategy will take more time. The national strategy pilot is designed to evolve and build on itself, Farnsworth says. It needs to start with a level one, selfasserted credential and then add trust. One of the use cases the NSTIC pilot will provide is verifying that an individual is over the age of 18 without giving away their date of birth, Farnsworth says. The capability will use level one credentials and test an attribute verification system from the AAMVA database. The next step will be adding more capabilities and trust to those credentials, Farnsworth explains. This would include introducing multiple form factors and authenticating the credentials and various attributes. The last stage will require relying parties to consume the credentials. Some companies in Virginia have already approached Burhop and Farnsworth to discuss involvement with the project. “We have interest from CEOs of companies that manage millions of identities,” Burhop says. “They want a system so that Joe Citizen doesn’t have to get re-authenticated to gain access.”

Summer 2013

TWITTEr, lINkEdIN BrEAChES lEAd TO TWO-fACTOr AUThENTICATION HiGH-profile deploymentS Seen aS SaVior By Some, Knee JerK By otHerS Hackers are stealing user names and passwords at an alarming rate, and they’re using this information to access data from compromised sites. And because far too many people use the same login information these hackers are also gaining access to other uncompromised sites. LinkedIn, Twitter, Evernote and DropBox are just a few that have had their identity management databases hacked and user name and password information stolen. The breaches have led these sites to consider, and implement, two-factor authentication solutions to better protect users’ login credentials. This is most likely just the beginning of two-factor authentication deployments, as hackers increasingly target user names and passwords. Twitter experienced an attack wherein hackers were able to access users’ e-mail addresses and encrypted passwords, forcing the social media site to reset passwords on at least 250,000 accounts. Evernote, a web and mobile note-taking application, had to reset passwords for its 50 million users before deciding to push forward with optional two-factor authentication. LinkedIn fell victim to 6.5 million compromised user names and passwords in its breach last year.

Summer 2013

Most of the systems being deployed are similar. They are two-factor authentication systems that send users a second, one-time login code via text message making it more difficult for hackers to compromise an account with multiple passwords. The use of two-factor authentication on the web is not new as Facebook, Google and others have been employing the technology for some time. “One-time password tokens are pretty old,” says Terry Gold, founder at IDanalyst. “The enterprise has been using OTPs for some time but not enough and not for consumers.” Though a step in the right direction, none of the solutions are flawless. For Twitter, only one device can be registered, causing issues for organizations that have multiple people posting to a single account. DropBox’s implementation can also be problematic. If a user loses their handset and can’t remember their password they won’t be able to access their data. There isn’t a failsafe in place, Gold says. The problem with many of these twofactor authentication deployments is that they are knee-jerk reactions to breaches, Gold says. The organization creates the solution in-house and it’s not as well thought

out as some of the more tried and true solutions. These issues will eventually get ironed out. What may be next is the ability to use these credentials for more than one purpose, such as with Google, Facebook Connect and other open ID systems. “More organizations will adopt the strong authentication model and then they don’t have to issue and manage credentials,” Gold says. The weak link in this process is the identity vetting, or tying these credentials to an actual identity, Gold adds. There aren’t any standards when it comes to defining an online identity in the consumer space. “There’s no trust in the identity,” he explains. “To re-leverage the identity, there has to be some consistency and some level of definition of how this is done.” Following two-factor authentication, strong identity vetting and federation will come the need for encryption and key management, Gold explains. For sites like DropBox, encrypting a user’s data may be cumbersome but users are going to demand that functionality. The obstacle after that will be enabling the user to own the keys that decrypt the data, something that providers may want to control.