32 A survey of ID technology - Winter 2012 - Issue 32
Feds fund digital ID
anatomy of a password hack choosing the right card printer convergence muddied by Bring your own device
Bringing security to your world
Delivering ID programs that fit your country Government identity solutions from HID Global. The right interoperable products, the right field-proven brands like LaserCard® Optical Security Media (OSM), ActivIdentity® Credential Management System and FARGO® ID card printers and encoders. Tailored processes backed by years of the right design and integration expertise. We power the world’s most secure ID credential programs — including the US Green Card. We’re HID Global. Learn more at hidglobal.com/citizen-ID
All the flexibility you need in a card printer
Trade-in your old card printer for a Primacy
and save up to $300*! The ultimate card printer! Because your clients have varied requirements, the new range of Evolis Primacy card printers offers maximum flexibility.
Your customers will appreciate the ease of use, speed and unmatched print quality. You will love the versatility and easy hardware and software integration.
Single or double-sided printing, magnetic stripe encoding, smart contact or contactless chips – Primacy can do it all, thanks to the many onsite upgrades and options that can be added and combined.
A worthy and reliable successor to the Pebble and Dualys range, Primacy is covered by a full 3-year warranty.
*Maximum end-user discount, terms & conditions apply. Valid until March 31, 2013. Available with participating Evolis distributors and/or Resellers in selected countries – contact your Evolis Sales representative today or log on to www.evolis.com for more information.
www.evolis.com
WhAT SECURITY DEMANDS, DATACARD ID SYSTEMS DELIVER. ®
Whatever you need for a secure ID card program, you can get it from a Datacard® system. Datacard Group offers ID card printers, software and supplies — plus 40 years of experience and the support of authorized Datacard providers worldwide. To contact a provider near you, call +1.800.621.6972 or visit datacard.com/id. Datacard is a registered trademark and/or service mark of DataCard Corporation in the United States and/or other countries. ©2012 DataCard Corporation. All rights reserved.
CONTENTS
24 Cover Story Feds fund digital ID The much anticipated identity ecosystem is beginning to form. The National Strategy for Trusted Identities in Cyberspace awarded $9 million to five organizations to pilot different aspects. Projects will have impact from children to seniors and flesh out policy necessary to create a safe and secure online identity system.
32 Anatomy of a password Are your passwords secure? Probably not. 2012 has not been a banner year for the much-maligned password with massive hacks and an outcry for better authentication techniques. Still, there are things security managers can learn from the hacks to improve password security.
40 BYOD disrupts IT, muddies convergence Bring your own device has become a hot topic the past 18-months as mobile identity becomes a greater concern for the enterprise. Add convergence of physical and logical security into the mix and the identity picture becomes even muddier. Security companies detail how some are conquering these issues.
32 40
48 Choosing the right card printer for your company A lot has changed with employee ID cards, and quality printing and personalization is more important than ever. Will the cards include embedded technologies? Will advanced security features be required? These are just a few of the questions a company should consider when selecting a new card printer.
48 Winter 2012
3
CONTENTS
6 You can’t fight BYOD Give us our devices and access to the secure element
45 Netflix, Good Technology test NFC For physical access control
62 SecureKey delivers online authentication with existing IDs
8 ID Shorts News and posts from the web
48 Choosing the right card printer for your company Navigating the showroom floor
64 Army Reserve upgrades physical access control Puts PIV to use with an eye toward standard’s revisions
9 Calendar Industry events from the identity and security worlds 13 Podcasts Details on National Strategy for Trusted Identities in Cyberspace pilots. 15 Videos The latest news and trends from the 2012 Biometric Consortium Conference 24 Feds fund digital ID Use cases target children to seniors 32 Anatomy of a password Educating users and security managers to withstand modern threats 39 Can passphrases strengthen the embattled password? Indiana University says yes, researchers suggest caution 40 BYOD disrupts IT, muddies convergence Melding physical and logical access tougher as devices proliferate 42 Turning NFC-enabled BYOD smart phones into secure credentials Lessons learned from early converged access pilots
4
Winter 2012
54 E-passport and border control update Progress remains slow on E-passport inspection 58 Feds require multifactor authentication for health IT Higher levels of assurance a necessity
66 NFC-enabling voter registration Rock the Vote goes high-tech for 2012 elections
60 PIV-enabling google apps NASA aims for the cloud
| INDEX OF ADVERTISERS | ASSA ABLOY | 31 www.intelligentopenings.com
Digital Identification Solutions |21 www.matica.us
AOptix | 23 www.aoptix.com/identity
Entrust | 27 www.entrust.com/epassport
CARTES | 59 www.cartes.com
Evolis | 67 www.evolis.com
CBORD | 5 www.cbord.com
HID Global | 68 www.hidglobal.com/citizen-ID
CSC | 7 www.csc.com/cybersecurity
Lumidigm | 53 www.lumidigm.com
Datacard Group | 2 www.datacard.com/id
SALTO Systems | 37 www.salto.us
Spending. Security. Event privileges. Your campus card system should open the door to a world of possibilities on campus, online, and beyond. CBORD® is the industry leader in campus card systems that keep a new generation of students connected to their university communities. Visit www.cbord.com and take your one-card program to the next level with CBORD.
Comprehensive Solutions. Innovative Products. Dedicated Service. The CBORD Group, Inc. • 61 Brown Road, Ithaca, NY 14850 • 607.257.2410 • FAX: 607.257.1902 • www.cbord.com
ABOUT
EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andy Williams, andy@AVISIAN.com CONTRIBUTING EDITORS Liset Cruz, Andrew Hudson, Jill Jaracz, Gina Jordan, Ross Mathis, Denise Trowbridge, Jeff Wurfel ART DIRECTION TEAM Franco Castillo, Ryan Kline ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions. avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2012 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.
6
Winter 2012
You can’t fight BYOD Give us our devices and access to the secure element Zack Martin, Editor, Avisian Publications
The use of the mobile device as an identity token has been a hot topic in recent years. This year bring-your-own-device or BYOD caught fire as companies began to grapple with the challenge of many devices, many operating systems and many threats. By now the pros and cons of BYOD are well known. Pro: If employees can carry the device of their choosing they are more likely to use it and be more productive. Con: IT departments must deal with an ever-growing list of handsets and operating systems. Pro: Corporations save money because they don’t have to issue devices. Con: Corporations have to worry about possible security breaches if an employee downloads malware or is infected by a virus. While IT debates pros and cons, the world moves on. Individuals become more and more dependent upon and loyal to their device of choice. If corporations issue a standard device or have a select list of approved devices they have to wonder: Will employees actually use them or will they end up
in a desk drawer when employees leave for the day? A common refrain is that people will forget their ID card but never their phone. But would that be the case with their secondary, company-mandated phone? I suspect not. In non-BYOD environments, the refrain might become employees forget their company phone but never their personal phone. The reality is that corporations will have no choice but to move to BYOD. The world has progressed beyond the point of doing anything else. Employees won’t carry two handsets and the one they like less – the employer-issued device – will be left behind. The question is no longer “to BYOD or not to BYOD?” It is “how do we support it in a way that serves individual wants and organizational needs?” Policy questions abound. What happens if a handset is compromised? Can the company remotely wipe a lost device? Is the employee reimbursed for lost apps?
PERSPECTIVE
These questions are within the confines of the organization and thus solvable. Significant technology issues exist, however, that are far beyond the control of any corporate IT department. Specifically relevant to use of the mobile as an identity credential are issues related to control of the handset’s secure element. If the oft-touted NFC is to be the tool to enable identity via the mobile, credential issuers – such as organizations, or their system providers that want to add employee IDs – must have access to the NFC chip on user devices. But will the parties controlling this access hand it over? Early on the industry naively thought that the obstacle was simply a lack of enabled handsets. Today, it recognizes that the challenge runs far deeper, as highlighted by pilot projects like those you will read of in this issue. To succeed, mobile identity requires that employees have devices with fully enabled NFC, and they need to be running on cooperative mobile carriers. The problem now is that each carrier would require a different agreement to place an application on the secure element. This is an enormous obstacle.
Mobile identity needs an organization to step forward to create the policy and rules that will enable companies to load applications on the secure elements. As long as these companies sign the master agreements and abide by the rules they will be able to access the secure element for not just one, but all participating mobile carriers. A year ago I thought the industry was on the cusp of great things in mobile identity but these policy issues are hindering growth as much or more than the lack of NFC-enabled handsets. These policy issues must be resolved.
DELIVERING TRUSTED IDENTITIES THAT ARE
BEYOND A SHADOW
OF A DOUBT Government and business rely on trusted identities. Whether you are protecting information or securing a border or critical infrastructure, you need to establish, with certainty, that someone is who he or she claims to be. At CSC, we deliver comprehensive identity management solutions that not only provide identification but also protect the personal information of citizens and customers. Drawing upon our worldwide identity management experience, we seamlessly integrate the latest technologies, systems, policies and business processes into a solution that is secure, efficient and, most of all, trustworthy. CSC Identity Management Solutions and Services CSC.com/cybersecurity
TM
ID SHORTS
ID SHORTS Short stories from the web
GovernmentIDNews Slovakian government incorporates Datacard Group tech, enhances national ID Datacard Group announced that the Slovakian Government will employ the company’s suite of identification solutions into its national eID program. The company’s MX6000 card issuance system and the Syntera customization
software will enable the country to develop highly secure national eIDs, driver licenses, border crossing cards, vehicle registration cards and resident permits. Issuing nearly 520,000 cards annually, Slovakia is seeking to increase security features, expedite issuance and improve
8
Winter 2012
quality. The technology upgrade will result in more secure, higher-quality laser engraving and higher efficiency associated with smart card personalization and visual verification. The Slovakian government has partnered with Datacard since 2008 when it adopted Datacard’s PB6500 passport issuance system. Datacard’s MX6000 technology is used by a number of national eID programs. The company produces and personalizes 10 million cards, 5 million smart cards and hundreds of thousands of passports daily. The initiative with the Slovakian Government is the latest addition to Datacard’s more than 400 government contracts spanning more than 100 countries.
SecureIDNews New Defense Department self-service portal eases ID maintenance The Defense Manpower Data Center (DMDC) implemented a self-service portal to ease the process of ID distribution and maintenance.
DMDC made changes to its self-service online portal called RAPIDS, Real-time Automated Personnel Identification System. The approximately 3.7 million service members and reservists with Department of Defense Common Access Cards can go through the portal to apply
3.7 M
Service members and reservists can go through the portal to apply for family ID and retirement cards. for family ID and retirement cards. They can also use the system to update status of dependents. The system will eliminate the need for service members to wait in line to procure ID cards for their family members. Instead, they can pull up their dependents’ information through the RAPIDS website, fill out Form N. 1172-2 and digitally sign it. The recipient of the ID card can then pick up the finished ID card at a DMDC office.
ID SHORTS
A joint venture between At Security Jessen, Kaba and LEGIC Identsystems produced a trusted service manager solution that loads access applications and rights to NFC-enabled phones over a mobile network. LEGIC’s new TSM will focus on identification applications enabling LEGIC customers to load their apps onto smart phones and use them for access rights like hotel room authorization and payment applications. The system will essentially place all the usual functions found on a smart card directly into the NFC-enabled phone or device. As with other LEGIC services, the TSM will feature support for third party contactless technologies.
NOVEMBer FEBRUARY
The 11th Annual Smart Card Alliance Government Conference November 28-30, 2012 Walter E. Washington Convention Center Washington DC 2013 Payments Summit February 5-7, 2013 Grand America Hotel Salt Lake City, Utah RSA Conference 2013 February 25 - March 1, 2013 Moscone Center San Francisco, Calif.
APRIL
NACCU Annual Conference April 14-17, 2013 Disney Contemporary Resort Orlando, Fla. CARTES America April 23-25, 2013 Las Vegas, Nev.
NFCNews LEGIC announces its trusted service manager (TSM) solution
Cartes 2012 Exhibition and Conference November 6-8, 2012 Paris-Nord Villepinte exhibition centre Paris, France
ISC West 2013 April 9-12, 2013 Sands Expo and Convention Center Las Vegas, Nev.
MAY
HID Global has expanded its iCLASS SE platform with two additions: the standards-based iCLASS Seos credential and support for the industry-standard Open Supervised Device Protocol (OSDP). iCLASS Seos features a standards-based card edge and is portable for use on NFC smart phones so that customers can utilize smart cards, mobile devices or both within their physical access control system. The iCLASS SE platform also includes support for the Open Supervised Device Protocol, which together with secure channel protocol provides bi-directional communications and security features to interconnected devices. Support for OSDP adds key capabilities including central management of readers for lower operational costs and faster and easier configuration. The iCLASS SE platform also supports Seos digital keys from HID Global parent company ASSA ABLOY, which has launched the Seos ecosystem for issuing, delivering and revoking digital keys on NFC phones. Seos keys on mobile phones replace mechanical keys and access cards for opening doors to homes, hotels, offices, hospitals, universities, industries and commercial buildings.
Calendar
NFC Solutions Summit 2013 Smart Secure Mobile Payments and Non-Financial NFC Apps May 15-16, 2013 Hyatt Regency San Francisco Airport Burlingame, Calif. CTIA Wireless 2013 May 21 - May 23, 2013 Las Vegas, Nev.
September
ContactlessNews HID Global expands iCLASS SE platform with iCLASS Seos and Open Supervised Device Protocol
2013 Biometric Consortium Conference September 17 – 19 Tampa, Fla. ASIS 2013 September 24 – 27 Chicago, IL
Winter 2012
9
ID SHORTS
ThirdFactor Hitachi Europe delivers finger vein biometric solution for Poland’s bank BPH Hitachi Europe confirmed the delivery of a finger vein biometric authentication solution for Poland’s Bank BPH. One of Poland’s largest banks, and GE Capital group member, Bank BPH wanted a more secure PIN-less method of authentication. Finger vein biometrics was selected and has been in pilot testing throughout several of the bank’s branches since June of 2012. The technology uses an infrared light to capture the unique vein pattern in a person’s finger. The pattern is then stored as a template and used to verify the person’s identity for future transactions. In addition to being contactless,
10
Winter 2012
discreet and non-invasive, the vein biometric is believed to be virtually impossible to counterfeit. By the end of 2012, BPH plans to have fully integrated all 287 Polish branches to use the biometric as the main method of authentication at teller counters.
GovernmentIDNews Belkin unveils smart card reader for government Belkin released a USB smart card reader tailored for use with the Defense Department’s Common Access Card and other agency PIV cards. The card reader meets ISO7816 standards with additional security measures include a uni-body enclosure that deters physical electronic tampering and ROM
firmware to eliminate the risk of alteration. It operates with Windows 7 and standard CCID drivers. The Belkin USB Smart Card and CAC Reader is available for purchase through company’s U.S. network of distributors and comes with a three-year warranty, tech support and TAA compliancy.
ThirdFactor Lumidigm adds bar code functionality to biometric scanners Lumidigm announced that the company’s biometric fingerprint scanners can be extended to read bar codes and authenticate credentials, opening up new use cases for enrollment and access. Bar codes can be used to enroll an individual into a physical access con-
ID SHORTS
trol system. Using a mobile device, the individual would be enrolled and data collected for the ID record. The system would present a bar code back to the mobile device for scanning at the Lumidigm reader. Then the individual’s fingerprint would be enrolled and linked to the record. The scanners can connect to mobile devices via Bluetooth for convenient deployment.
vote, change their addresses through the U.S. Postal Service or register as organ donors. Future applications are many and could include issuance functions for hunting, fishing and parking permits as well as vehicle registration.
SecureIDNews Delaware deploys driver license kiosks
The Nigeria Tourism Development Corporation (NTDC) will create a biometric database of hotel workers throughout the country in an effort to cut down on hotel-related crimes. The centralized database would be used to track staffing changes from hotel to hotel. Those who commit crimes would be identified in the system so that hotel managers and owners could evaluate the background of potential hires.
Delaware unveiled its new driver license and personal identification kiosks to provide of quicker ID issuance and an improved customer experience for Delaware residents. Initial locations include Dover, Wilmington and Georgetown. The devices are provided by MorphoTrust USA, current supplier of driver license issuance solutions for Delaware, 40 other states, and the District of Columbia. The kiosks incorporate scanners, digital cameras and back office technology enabling Delaware to maintain a high level of security while speeding up the ID issuance process for replacement and renewal licenses and state-issued IDs. The user places the old license on the kiosk scanner, looks at the camera and the kiosk interfaces with the DMV mainframe to validate that the user is eligible to proceed. The user’s new image is compared to the one already on file with the state. If the two images match, the customers pays for the new ID and takes a receipt provided by the kiosk to the window of a secure processing room to retrieve the new license. Delawareans can also enter their data by touch-screen if they do not have the old licenses with them or have lost it. The entire process takes just minutes. Adding to customer convenience, users can also use kiosks to register to
ThirdFactor Nigerian tourism agency plans biometric tracking of hotel staff
GovernmentIDNews Thursby, Precise bundle products Precise Biometrics released its Tactivo smart casing for the iPhone and iPad in combination with the secure browsing software from Thursby. The new bundle combines the Tactivo smart card reader and fingerprint sensor hardware with the PKard Reader v1.1 app for access to Web email, portal, and collaboration sites with two-factor CAC or PIV smart card authentication and FIPS 140-2 security. Introductory discounted pricing is set at $249 for the iPhone bundle and $299 for the iPad bundle. The PKard Reader v1.1 app is currently available free on Apple’s App Store and future releases will be available to bundle purchasers at no additional cost.
The NTDC hopes the database will be able to help those in the hotel industry solve problems that deal with corruption and crime as the country's hotels strive to increase safety. The NTDC hopes the database will be able to help those in the hotel industry solve problems that deal with corruption and crime as the country’s hotels strive to increase safety.
Winter 2012
11
ID SHORTS
SecureIDNews HID’s ‘crack prevention tech’ validated in tests HID Global announced that its patented crack prevention technology for IC chip-enabled polycarbonate eID and e-passport credentials has been validated in the tests conducted by Smithers Pira. In laboratory testing, 100% of cards created using HID Global’s crack prevention solution were found to be immune to premature aging caused by the minuscule cracking that can occur when a chip is introduced to a polycarbonate card body. Cards without the crack prevention technology failed the test. The unique crack prevention feature optimizes the durability of cards and e-passport data pages enabling government customers to leverage smart card technology on a polycarbonate platform and extend the life of the credential.
12
Winter 2012
Smithers Pira Testing combines laboratory testing and simulation facilities. During the course of several years, HID Global’s R&D worked to develop and patent the anti-crack feature. As confirmed in the Smithers Pira report, the process prevents the development and emergence of micro-cracks by creating a cushion or “airbag” effect around the chip while maintaining a format compliant with stringent international standards limiting the size and thickness of machine-readable electronic IDs.
DigitalIDNews LexisNexis partnership to provide cloud-based identity verification LexisNexis Risk Solutions and identity services provider UnboundID and have teamed to integrate cloud-based identity authentication and verification services that enhance assurance of identity attributes exchanged in real time. Users of LexisNexis services will connect through the UnboundID identity platform and LexisNexis will verify and secure the profile, making sure the customer data is linked to an actual person. The LexisNexis Identity Verification and Authentication product includes InstantVerify and InstantAuthenticate, two real-time services that ward against the risk of fraud and identity theft as customers log in to the system. The UnboundID Identity Services Platform connects and unifies
identity information across different legacy systems. It securely stores that information and can deliver it to applications and services in real-time. The combined solution allows companies to use these services through a standard, reusable architecture.
GovernmentIDNews Software House receives PACs certification Software House, part of Tyco Security Products, announced that it has earned Trusted PACS Product Certification for the integration of its C•CURE 9000 security system with the Codebench’s PIVCheck credential validation software and Veridt’s MultiMode door access reader. This designation from CertiPath ensures that the three-product combination has been tested against the end-to-end system requirements for interoperability and performance in PKI-based physical access control environments. U.S. Federal Agencies, now subject to OMB Memorandum 11-11, have begun to upgrade physical access control systems to interoperate with their FIPS 201 PIV credentials. Early adopters of these systems often experienced noninteroperable and non-conformant systems. CertiPath is a testing lab certifying end-to-end PIV capable PACS. Many U.S. Government agencies and commercial companies alike rely on the Certified Products List (CPL). The systems went through a testing process to earn the Trusted PACS Product Certification, which certifies PKI-based identity, access and control management solutions for both physical and logical systems. Codebench PIVCheck Desktop software provides a three-step authentication process that is a prerequisite to PACS registration. The software verifies the cardholder’s PIN, extracts cardholder data from a smart card, and verifies
ID SHORTS
the cardholder’s identity using biometric matching. Digital certificates are validated using the issuer’s certificate authority and all credentials are authenticated using FIPS 201 challengeresponse protocol in order to identify forged or cloned cards. Veridt’s MultiMode is a contact and contactless biometric reader. Credentials supported include: PIV, PIV-I, TWIC, FRAC and CAC (legacy, NG, EP), any data model based on MIFARE, DESfire, ISO 14443A/B, and ISO 7816.
NFCNews Spanish university rolls out NFC The University Católica of Murcia in southeastern Spain is piloting NFC for physical access, payments and attendance. SALTO Systems, Banco Santander, Vodafone and Gemalto are collaborating on the project. The eight-month project, run by the Santander Universities Global Division, will see all staff and more than 20,000 students at the university use NFC-enabled services. Users will be able to access all university buildings including access to laboratories, classrooms, gym and library as well as the parking areas. The school has deployed a campus-wide contactless solution that enables the university to integrate all its physical security and management needs through SALTO Systems’ wire-free networked stand-alone locks for access control. A video produced by the university shows a student using his handset and NFC capabilities to check bus arrival, verify attendance to class, access labs, enter a school recreation facility and check out a bicycle. The pilot also includes additional services leveraging the NFC and data-on-SIM based technology to store student academic profiles, university accreditation, data use on campus and public transportation services. The latter includes both local buses and a bicycle rental service where users can load funds on to their mobile phones via a network of payment machines and kiosks.
PODCASTS Episode 98: Grant details NSTIC future Jeremy Grant, head of the National Program Office for the National Strategy for Trusted Identities in Cyberspace, talks about the pilots awarded and common themes linking awardees. He discusses the Identity Ecosystem Steering Group and plans for next year.
Episode 99: Digital ID for kids and health care Resilient Network Systems’ Pat Reilly discusses the company’s two NSTIC pilot initiatives, one around health care and the other around child safety online. “How do we make it so that doctors, insurers and physicians know how to find the information about me from other doctors and labs, etc.,” Reilly asks. “And how do we make sure that the identities of children aren’t misused?”
Episode 100: NSTIC for senior citizens Daon’s was chosen as an NSTIC pilot award recipient and Cathy Tilton, the company’s vice president of Standards and Technology, describes the plan. It envisions an identity platform using smart phones with multiple authentication methods for riskbased authentication. A key audience is senior citizens and their needs in online identity.
Episode 101: Privacy, anonymous credentials and NSTIC Internet2’s NSTIC pilot will explore a privacy infrastructure for the identity ecosystem, including the application of anonymous credentials. “Our goal is to provide a consistent privacy infrastructure so that whether you’re functioning as a citizen, consumer or worker, you see a common set of tools used in a common way to manage privacy,” says Kenneth Klingenstein, director of middleware for Internet2.
Episode 102: AAMVA and Internet IDs Some have called NSTIC an Internet driver license, so it seems logical that the American Association of Motor Vehicle Administrators received a pilot grant. Geoff Slagle, director of identity management at AAMVA, explains that the group will lead a team of industry and government partners exploring ID vetting and document issuance in digital environments.
Episode 103: AttributeS powers NSTIC Criterion Systems’ NSTIC pilot is an attribute exchange network that aims to help consumers securely share information with online service providers. The concept is to simplify the transaction model and enable participants in the ecosystem to cost effectively provide these services to replying parties, says David Coxe, CEO of ID Dataweb and cofounder of Criterion. The system will be piloted in the financial services sector and online auctions.
Winter 2012
13
ID SHORTS
RFIDNews RFID arrestee management system deployed at Republican National Convention The GUARDIAN RFID Corrections System, in partnership with the Hillsborough County Sheriff’s Office in Tampa, Fla., unveiled the RFID Arrestee Management System to accelerate the speed and accuracy with which arrestees are captured, identified and managed from the point of arrest to release. Law enforcement officers can outfit a suspect with an RFID wristband and capture a wide range of data about the individual using a rugged mobile computer equipped with an integrated RFID reader. Relevant data is automatically synchronized in real time and made instantly accessible via web-based software so that command staff could securely monitor operational performance from any location on any device at any time. The Arrestee Management System was developed in preparation for the Republican National Convention (RNC), held in August 2012. The Hillsborough County Sheriff’s Office, in coordination with the Tampa Police Department, deployed the system throughout the city.
14
Winter 2012
Relevant data is automatically synchronized in real time and made instantly accessible
ID SHORTS
videos Animetrics adds third dimension to strengthen facial recognition Facial recognition specialist, Animetrics, adds detail to twodimensional images to create a 3D structure. Comparing 3D images of a known subject with images captured in the field, one-to-one identification of a person becomes possible. Animetrics system engineer, Sean Doucette, demonstrates use of the software to identify Casey Anthony from a video segment taken while she was in hiding. He explains how this technology can benefit law enforcement reviewing crime scene footage, surveillance video and other images.
AOptix moves millions through airports with iris In the past year, iris leader AOptix processed more than 5 million passengers through aviation security and immigration environments. The company expects to scale to 50 million per year in the next 18 months. It is changing the way people travel, the way airports manage their footprints and the way immigration authorities manage biometrics at the border, says Joey Pritikin, project manager at AOptix. It is letting people start enjoying the travel process again because they are spending less time waiting in line, he adds. In one of the company’s new deployments, a 49-minute immigration process is reduced to 22 seconds for all travelers. AOptix is also launching smart mobile identity putting iris biometrics into smart phones and mobile devices. Pritikin says they are committed to multimodality and will be bringing fingerprint, face, voice all converged on one platform. The mobile solution will bring yet unseen iris image quality to the smart phone platform. Because of the company’s focus on optics and imaging, the product will work in bright sunlight, where other iris platforms have failed. This is crucial, explains Pritikin, because most mobile use cases occur in bright sunlight.
Winter 2012
15
ID SHORTS
HealthIDNews Michigan health network strikes patient ID deal with HT systems The health information exchange, Michigan Health Information Network Shared Services, announced an agreement with HT Systems to provide the PatientSecure biometric identification solution to the state’s health care providers at a reduced cost. PatientSecure scans a patient’s palm vein pattern and links the patient to their medical record. Across the country, more than 160 hospitals and hundreds of affili-
16
Winter 2012
ated clinics and physician’s practices use the solution. Five millions patients are currently enrolled and tens of thousands of patients are successfully authenticated on a daily basis on return visits.
DigitalIDNews Canada Post updates digital mailbox Canada Post is releasing a new version of its epost digital mailbox platform to add functionality and leverage government and business services. Along with
design enhancements and improved bill management tools, it also features a new authentication process that enables users to link their digital identity with a physical address. This layer of authentication will allow the government to deliver more private e-services and allow users to securely communicate with business and government. The government hopes to use this bill consolidation platform to provide new e-services to users, such as license sticker and parking permit renewals. It also hopes to offer businesses a way to
ID SHORTS
remit secure online transactions with the government. The service will first launch in Kitchener Waterloo and then rollout nationally into 2013.
ThirdFactor Facial recognition software triggers New Jersey license smiling ban The State of New Jersey Department of Motor Vehicles implemented a smiling ban for driver license photos in an effort to protect its facial recognition database.
The state updated rules earlier this year because its facial recognition database has problems managing large numbers of photos that include smiles and smirks. The state can share the information in its database with the FBI’s Next Generation Identification (NGI) program.
FinancialIDNews The Philippines adds biometrics for cash grant authentication The Leyte Provincial Government in the Philippines deployed a biometric to authenticate recipients of cash grants from its welfare programs. Cash grants are given to extreme low-income households for the purpose of feeding and schooling children. The past system utilized ATM cards, but it was uncovered that recipients were using these as loan collateral. Implementing the biometric system will force the enrollee to claim and withdraw the grant in person. The plan is to roll out across the country ultimately serving more than 3 million people enrolled in the grant programs.
GovernmentIDNews West Virginia chooses biometric enrollment system, awards services contract The State of West Virginia has chose NextgenID’s Multi-modal Biometric Enrollment (MBE) Kiosk for enrolling employees, contractors and citizens into the state’s new West Virginia Identity Management Service. This service will aid the transition to the use of trusted digital identity cards in the state’s counties and municipalities. The state awarded a services contract to TecSec Services to establish a unique identity at high levels of assurance, issue credentials and then enable multifactor authentication. The system will also contain secure digital attribute containers, as well as provide encryption and digital signature functionality that can be tied to a single identity. This identity will then be used for statewide process applications.
The NextgenID Kiosk is a freestanding system that is compatible with the Americans with Disabilities Act standards. It can complete identity enrollment in less than five minutes, and transfers enrollment data to a central repository via a secure web portal. The Identity Management Service is being led by the West Virginia Division of Homeland Security and Emergency Management.
ThirdFactor Oberthur and Zvetco collaborate for biometric authentication Oberthur Technologies and Zvetco Biometrics are collaborating on a biometric authentication device designed for government and company computing environments. The companies will combine the Oberthur ID-One PIV smart card with Zvetco Biometrics Verifi fingerprint readers. The smart card complies with FIPS 201 for physical and logical access control. Applications include authentication, digital signature, fingerprint on-card comparison, encryption, cashless payment and post-issuance management.
SecureIDNews Keesing unveils ID document authentication solution Global ID document and banknote verification solutions provider Keesing Technologies launched its ID AuthentiScan solution that enables rapid verification of an ID document’s authenticity. In just seconds, the system automatically performs multiple checks of an ID placed on a passport reader, providing authentication at the highest level without requiring specialized operating knowledge or skill.
Winter 2012
17
ID SHORTS
videos EyeVerify secures mobile devices with eye vein biometrics EyeVerify specializes in eye vein biometrics, the process of imaging and pattern matching the blood vessels in the whites of the eye. EyeVerify uses a cell phone camera to capture vascular patterns to achieve fingerprint-level accuracy using a device people never leave home without. Use cases include accessing enterprise VPNs, online bank accounts and medical records, says Toby Rush, CEO and founder at EyeVerify. He adds it works for internal employees or external facing consumers, no matter where or when. The reason the solution does not require sophisticated optics is that it can utilize images captured in visible light where other biometric systems require near-infrared light. The modern cell phone camera is more than sufficient, says Rush.
IEEE launches new version of biometric training program
It conducts up to 40 checks on an ID credential and determines whether or not the credential is authentic and valid. For further security verification, the solution can be checked against Keesing’s ID credential reference database, which includes 2,500 ID documents from more than 200 countries and organizations. Keesing’s solution also features a screening tool that allows the user to match a credential – and its holder’s personal information – to multiple national lists.
ThirdFactor Indonesia close to rolling out biometric-based national ID card project Indonesia with its 70,000 plus islands, electricity issues and limited bandwidth is preparing to roll out one of the world’s most ambitious biometric ID initiative to date. A Computerworld report revealed that the initiative will cost the country $600 million and will provide 172 million
IEEE launched the Certified Biometric Professional (CBP) program in 2009. In July 2012 it launched version 2.0 of the training program that is used by candidates preparing for the 150-question multiple choice exam. Version 2.0 includes updates to sections including compliance and standards, methods and applications, system design and implementation as well as new descriptions and case studies. IEEE now has certified professionals on six continents and the numbers continue to grow, says Kelley Johnson, IEEE CBP program. The next test window is Nov. 17-Dec. 31.
NexID helps fingerprint scanners add liveness, spot spoofs NexID is a spinoff from West Virginia University and Clarkson University that develops technology to determine if a fingerprint image is from a live finger or a spoof. Both optical and capacitive fingerprint readers are suspect to spoofing, but NexID’s software algorithms can be used to train these scanners to recognize spoofs, explains Mark Cornett, general manager at NexID. The company is developing an SDK to enable anyone to incorporate liveness detection into biometric devices during the development process, says Cornett.
18
Winter 2012
residents a national identity card. The project is expected to be fully functional before Indonesia’s next election in 2014. The project will issue each citizen an e-KTP card – an electronic national ID card to be used for voter registration, passport issuance, tax and financial applications. Citizens enroll at registration centers where their fingerprint, iris and face are captured. The biometrics are stored along with personal data as a record and tied to their electronic identity card. Husni Fahmi, head of the e-KTP Technical Team, estimates that the program is issuing 8,000 cards daily with 118 million e-KTP records already stored in the country’s databases.
ID SHORTS
In development since 2010, the system is expected to help combat the country’s sordid past with voter fraud, counterfeit documentation and terrorism. Technology for the project is provided by HP, L-1 Identity Solutions, Topaz Systems and Indonesian-based Biomorf.
ThirdFactor DHS awards biometric capture contract to USIS The U.S. Citizenship and Immigration Services awarded a contract to US Investigations Services Professional Services Division, a background investigations provider, to conduct biometric capture services for immigration benefits and U.S. citizenship. The contract is categorized as an indefinite-delivery/ indefinite-quantity contract. The terms are for one base year with four one-year options, with a potential contract value of $889 million. Under the contract terms, USIS PSD will provide biometric capture services at over 130 USCIS Application Support Centers across all 50 states and U.S. territories.
SecureIDNews Identive to release updated Hirsch Velocity software Identive Group will release an update to its Hirsch Velocity security management solution including new features for integrated physical and logical access management. Hirsch Velocity 3.5 adds real-time capabilities to enable end-users to instantly get information across devices and environments. The system can also deliver information to mobile devices regarding the most current threat assessment information. The system functions through an Internet or intranet-based Web console that’s compatible with most browsers. With it, administrators can monitor alarms remotely. It’s also able to easily bridge physical access and IT infrastructures. Add-on options are also available, including access to the U.S. Transportation Security Administration No-Fly List, Active Directory user synchronization and point level e-mailing. The system comes in a federal version that enables PIV, PIV-I and CIV credential registration and can monitor the status of the PIV Authentication Key and Card Authentication Key certificates on each ID card.
videos Lumidigm goes below the skin for stronger fingerprint templates Conventional fingerprint readers rely on surface characteristics, but Lumidigm uses multi-spectral approach to capture the fingerprint, explains Bill Spence, vice president of transaction systems at Lumidigm. The company’s sensors are ideal for rugged, challenging use cases. They use multiple wavelengths of light to look at different aspects of the finger. For example, the blue light component reads the surface where green light component penetrates to read the capillary finger bed about one millimeter below the surface, says Spence. Lumidigm’s systems avoid the problems conventional fingerprint systems face in very dry environments, such as hospitals, or very wet environments, such as outdoor locations. The sensor can even work through gloves to capture usable images.
Natural Security standardizes user experience for biometric authentication Natural Security is positioning its solution as a new standard of authentication for transactions – including payments, logical or physical security, online banking, and more, says Dominique Pierre, business development at Natural Security. The system combines a fingerprint or other biometric with a radio frequency device that communicates with a Natural Security-enabled reader. The radio frequency device can be read without removing it from the pocket making it convenient for users. The reader, for example a point-of-sale device, could be within range of multiple RF devices from nearby users. To determine which Natural Security device to use for the transaction, biometric match-on-card is used. The individual who is intending to initiate the transaction provides his biometric, for example fingerprint, to the reader. The reader shares this encrypted biometric template with the nearby devices, but only the device that successfully completes the match-on-card is enabled for the transaction. The key to the Natural Security concept is that the same simple, convenient user experience is replicated across all transaction types.
Winter 2012
19
ID SHORTS
DigitalIDNews Microsoft buys PhoneFactor Microsoft announced the acquisition of multifactor authentication solution
provider PhoneFactor. Founded in 2001, PhoneFactor is used to secure logins and transactions by leveraging the phone for multifactor authentication across a range of applications. The solution already works with many Microsoft products and services and interoperates with Active Directory. “The acquisition of PhoneFactor will help Microsoft bring effective and easy-touse multifactor authentication to our cloud services and on-premises applications,” said Bharat Shah, corporate vice president, Server and Tools Division for Microsoft. Terms of the deal were not disclosed.
ThirdFactor Gabon selects Gemalto for biometric national registry The State of Gabon selected Gemalto to build a national biometric civil registry to replace the current paper identification system. The project, a part of Digital Gabon’s strategic plan, aims to have the registry in place before local elections in 2013. Gemalto will create an end-to-end system with its Coesys biometric citi-
20
Winter 2012
zen enrollment system. This system uses both desktop and mobile stations to capture citizens’ demographic data, fingerprints and digital photographs. It then uses fingerprint matching to ensure each entry is unique. The system also includes Gemalto’s Coesys Issuance solution to personalize official documents and provide PKI for
securing eGovernment services. Upon completion, the biometric database will be the main registry for all forms of citizen ID, including birth certificates, national ID cards, passports and driver licenses. Biometric authentication will also be included for government benefits programs.
GovernmentIDNews Trüb to provide Guinea with new polycarbonate ID cards Identification solutions specialist Trüb will develop a national ID solution the Guinean government. The new identity cards will be issued to each citizen of Guinea when they register to vote. The initial use will be as an ID for voting purposes but there are plans to extend it to serve as a national ID, issuing a card to every citizen regardless of voter registration status. The polycarbonate ID cards guarantee a lifespan of 10 years and are personalized using laser engraving to protect against fraud. Working alongside Trüb is the South African-based systems integrator Waymark Infotech, Sabari Technologies and Brand new Technologies.
DigitalIDNews Bell ID unveils certificate manager
Bell ID launched its Bell ID Certificate Manager, a Web-based platform to manage digital certificates in computer networks, smart phones, smart cards and USB tokens. Aimed at enterprises, governments and third-party service providers, it re-
ID SHORTS
duces operational costs by delegating control to end-users via a self-service portal and by automating many bulk certificate management tasks. IT empowers end-users with certificate management capabilities, allowing organizations to improve central IT service desk activities thus reducing costs and freeing up resources. The system checks the expiry dates and certified data of employee certificates and issues email notifications when action is required. The product supports the management of any type of certificate from different Certificate Authorities and integrates with existing IT systems. As part of Bell ID’s identity suite, the solution can be extended to other applications such as physical access control, biometric identification or loyalty.
Bell ID Certificate Manager has successfully passed all Open Web Application Security Project vulnerability tests and is currently being deployed at several customer sites.
DigitalIDNews State group issues ID roadmap The National Association of State CIOs released the, “State Identity Credential and Access Management Guidance and Roadmap� to help states grappling with ID management challenges. The document explores the programs, processes, technologies and personnel used to create a trusted digital identity environment. It promotes a
federated approach where the identification of the information requester and supplier are guaranteed. The SICAM architecture aims to enable states and their partners to share and audit identification, authentication and authorization across state enterprise boundaries. Using an enterprise approach can reduce administrative and technological overhead caused by siloed, incompatible and un-auditable identity management systems. The can lead to improved business processes and efficiencies and reduce cyber security risks, it suggests. The document aims to mirror the Federal Identity Credential and Access Management guidance, or FICAM, used by federal agencies. NASCIO has been working on this document and
Winter 2012
21
ID SHORTS
contemplating ways to issue one identity to citizens that could be used for multiple purposes, such as driver license, Medicaid and other purposes.
SecureIDNews HID releases iOS software kit HID Global announced the release of the ActivClient Mobile Software Development Kit (SDK) for iOS. Application developers, enterprises, government entities and other organizations can use this kit to enable twofactor authentication, signature and decryption capabilities for iPhones and iPads. It provides a layer of middleware that connects strong two-factor authentication credentials to applications and encrypted containers running secure application stacks on the mobile device. It supports PIV smart cards and HID Global smart cards connected to the iPhone or iPad using the Precise Biometrics Tactivo smart card reader as well as secure microSDs connected to the iPhone using an Appleapproved sleeve.
ID technology news online every day or via a free weekly email Explore online for up-to-the-minute news and insight on identity and security technologies. Articles, podcasts and videos from Re:ID Magazine’s editorial team are added daily to the sites below. Sign-up to receive weekly updates via our free email newsletters. Visit any of the sites below and enter your email in the box at the top left corner of the page to register. ContactlessNews.com: Contactless smart cards, identity, access, payment and transit solutions. CR80News.com: Campus cards for primary and university ID, security and payment solutions. DigitalIDNews.com: Online and Digital ID, securing Web ID’s, PKI and digital certificates. EnterpriseIdNews.com: Identity management systems, cloud-based and financial applications. FIPS201.com: Approved product listings for the FIPS 201 identity standard, PIV and PIV-I solutions. GovernmentIDNews.com: Government ID solutions for citizen ID, driver license, border control and more. HealthIDNews.com: Secure ID for health care payers, patients and providers. IDNoticias.com: ID and security news and insight translated for the Spanish speaking audiences. NFCNews.com: Near Field Communiation technology, handsetsm tags, applications and projects. RFIDNews.org: RFID and sensor technology for logistics, pharma, animal and product tagging. SecureIDNews.com: Government and large enterprise ID, smart cards, identification and authentication. ThirdFactor.com: Biometric identification and authentication solutions for crossindustry applications.
22
Winter 2012
+ Dynamic Duo AOptix™ InSight ® Duo Combines the Performance of Iris and the Utility of Face The AOptix InSight Duo is the first and only system to simultaneously capture both an ISO/ICAO compliant face image and one or two ISO-standard iris images. The fast, automatic, non-contact capture takes mere seconds and is effortless for subjects, and if present, operators. Merging the accuracy of iris, the ubiquity of face, and outstanding ease-of-use, InSight Duo heralds a new era in conclusive authentication for identity-dependent applications including aviation security, expedited passenger processing, transportation, and border security. For a demonstration or more information, please contact us at (408) 558-3300 or visit us online at www.aoptix.com/identity. Copyright © 2012 AOptix Technologies, Inc. All rights reserved. AOptix, AOptix logo, and InSight Duo are trademarks or registered trademarks of AOptix Technologies, Inc. or its affiliates in the U.S. and other countries. All product information is subject to change without notice.
NSTIC PILOTS
Feds fund digital ID Use cases target children to seniors Zack Martin, Editor, Avisian Publications Gina Jordan, Contributing editor, avisian publications
The amorphous identity ecosystem is starting to take shape. After more than a year of discussion, funding for pilots to demonstrate what an identity ecosystem is all about has been awarded and projects are starting to coalesce. Five pilot projects received a total of $9 million as a part of the National Strategy for Trusted Identities in Cyberspace (NSTIC). The pilots cross markets and user communities including health care,
online media, retail, banking, higher education and state and local government. “Our goal is to make something happen that otherwise would not happen,” says Jeremy Grant, senior executive advisor for identity management and head of the National Program Office for NSTIC. The five winners – the American Association of Motor Vehicle Administrators, Daon, Criterion Systems, Resilient Networks and Internet2 – were weaned
Go to SecureIDNews.com/podcasts to hear more from NIST’s Jeremy Grant (episode 98).
24
Winter 2012
from 186 original entries and 27 finalists. “All are different but they share a common theme of partnership,” Grant says. “It’s less about building something new than getting these credential technologies out there and setting up identity ecosystems in miniature.” Re:ID spoke with representatives from the five pilot winners. Each detailed different aspects of the identity ecosystem their project would be testing.
NSTIC PILOTS
Go to SecureIDNews.com/podcasts to hear more from Daon’s Cathy Tilton (episode 100).
Daon
Key partners: AARP, PayPal, Purdue University, American Association of Airport Executives
With experience in both national ID and border control programs, Daon is no stranger to large-scale identity projects. The $1.8 million Daon pilot will demonstrate how consumers – specifically senior citizens – can benefit from a digitally connected, consumer friendly identity ecosystem. It is intended to show how trusted interactions with multiple parties online can reduce fraud and enhance privacy. The pilot will employ identity solutions that leverage smart phones and other mobile devices to give consumer’s choice and usability. Pilot team members include the American Association of Retired Persons, PayPal, Purdue University and the American Association of Airport Executives. There are four parts to Daon’s pilot, says Cathy Tilton, vice president of Standards and Technology at Daon and lead for the company’s NSTIC pilot. The first part will see the deployment of IdentityX, an identity authentication platform that is already operational at the Amazon Web services data center. The IdentityX solution uses the end user’s mobile phone or tablet and different combinations of security options to provide varying levels of identity assurance. Identity can be verified using multiple authentication methods including proof of possession of the phone, geolocation, passwords, out of band one-time passwords, voice and facial recognition biometrics and digital certificates. The selection of methods used will vary depending on the sensitivity and risk of the transaction. For example, a simple transaction with low risk such email login could require just phone possession plus the entry of a PIN. A transaction with higher risk, such as transferring money from a bank account, could require PIN, face and voice matching as well as geolocation via GPS to confirm the user’s location. “That technology uses a smart phone as a multi-factor authentication platform into traditional applications, Web apps and mobile apps,” Tilton says. “It hosts up to eight different authentication methods and based on the risk level of the transaction, invokes some combination of methods to
get to the assurance needed.” The second portion is a research agenda with Purdue University. Researchers will look at the data collected during the operational pilots to evaluate usability and accessibility, privacy, security, performance and user acceptance. The third area is the operational pilot. Daon teamed with relying parties including AARP, PayPal, the American Association of Airport Executives, Purdue University’s IT department and a major bank. Each will utilize IdentityX with a set of pilot subscribers to collect data and feedback, Tilton says. The final part of the pilot is the trust framework integration. Thus far companies have only deployed IdentityX internally, Tilton explains. “We’re going to extend our capability to work within several existing federally-certified trust frameworks such as Open ID, Open ID Connect, Kantara and InCommon,” she says.
Focus: To show how mobile devices can be used by senior citizens for trusted online interactions.
Cathy Tilton
Winter 2012
25
NSTIC PILOTS Go to SecureIDNews.com/podcasts to hear more from Criterion Systems’ David Coxe (episode 103).
Criterion Systems Key partners: AOL, LexisNexis Risk Solutions, Experian, Ping Identity, CA, Wave Systems, InCommon The almost $2 million Criterion pilot will attempt to demonstrate a multi-party attribute exchange network. The pilot will enable consumers to selectively share shopping and other preferences and information to both reduce fraud and enhance the user experience. The Criterion team includes ID DataWeb, AOL, LexisNexis Risk Solutions, Experian, Ping Identity, CA Technologies, PacificEast, Wave Systems, Internet2 Consortium/InCommon Federation and Fixmo. It aims to enable convenient, secure and private online transactions for consumers, including: access to Web services from identity service providers, seller login to online auction services, access to financial services at Broadridge Financial Solutions, improved supply chain management at General Electric, and first-response management at various government agencies and health care service providers. The basis for the Criterion pilot began in 2011. Members of the Open Identity Exchange created open-source software to support cloud-based Web services to test a global online system that is federated, interoperable and secure, says David Coxe, CEO of ID Dataweb and cofounder of Criterion Systems. Criterion will use the open standards platform to simplify online identity verification by verifying identity attributes to validate businesses and consumers. The consumer is not charged to participate, online enterprises pay less than in the past and attribute providers and identity providers generate new sources of revenue. One problem Criterion is attempting to solve is that most attribute providers charge a per user fee to verify consumer information. “Large enterprises like Google rallied around the idea to get these costs under control,” Coxe says. “We want to
26
Winter 2012
increase trust and thereby increase the number of transactions that occur online and make it easier for users, (but) we can’t pay for verification of every one of our hundreds of millions of users.” The concept of the pilot is to simplify the transaction model and enable participants in the ecosystem to get to market and provide those services in a cost effective way for replying parties.
Focus: To establish an attribute exchange network that limits the consumer information shared with a relying party to only those elements required to authorize the transaction.
Criterion will operate pilots with numerous participants, including Broadridge Financial Solutions, PayPal and General Electric. Broadridge will be the first pilot and will also test preference management, Coxe says. From an end user perspective the system is similar to federated identity systems in place now, such as Facebook Connect and Google. The difference is additional vetting will be done to enable issuance of highassurance credentials, Coxe says. Coxe cites the example of an individual who is logged into their Gmail account but goes to access their bank. The bank could offer the consumer the option to use the Gmail login for access if they are willing to undergo a bit of additional registration. The individual fills out the additional data, is verified and then receives a PIN number via text message on the mobile phone. The individual enters the PIN into the site and his identity is bound with the Gmail login. “Next time you go to that site on that computer, it uses that credential and everything happens in the background,” Coxe says. “You don’t have to enter a password.” Since the consumer has now been verified with that system, the same credential can be used at other sites for login and purchases, Coxe says. “Other participating sites will ask if you want to use that login and since the attributes have already been verified you can safely use that same account,” he adds. The login and attribute data can also be transferred to different devices. “After you’ve gone through verification you can register trusted devices, cell phones, tablets and laptops on the network,” Coxe says. Users are also able to control all the login data through an administrator’s console. The data is stored in an encrypted, Webbased vault that users can access to change privileges or turn them off.
: ePassports Standing Guard. Entrust dual-rooted ePassport security solutions are the most scalable, interoperable and deployed in the world. As the global PKI leader, Entrust provides true point-and-click solutions for first-generation (BAC) and second-generation (EAC) ePassport environments. In fact, Entrust is the No. 1 global provider of ePassport security solutions and continues to lead the migration to the EAC standard. See why Entrust is trusted globally and is the only choice for end-to-end ePassport security, including solutions for travel document issuance and inspection.
888.690.2424
Visit entrust.com/epassport for more information.
Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries. In Canada, Entrust is a registered trademark of Entrust Limited. All other Entrust product names and service names are trademarks or registered trademarks of Entrust, Inc. or Entrust Limited in certain countries. All other company names, product names and logos are trademarks or registered trademarks of their respective owners. Š 2012 Entrust. All rights reserved.
NSTIC PILOTS Go to SecureIDNews.com/podcasts to hear more from Internet2’s Kenneth Klingenstein (episode 101).
Internet2 Internet2’s involvement with the national strategy is no surprise as it is an identity ecosystem in itself. “When NSTIC first came out, they had an animation on their web site about how they saw the world, and I remember going, ‘wow, that’s just like a diagram we drew on a place mat in an Ethiopian restaurant in 2001,’” says Kenneth Klingenstein, Director of Middleware for Internet2. “So we got to see our vision being adopted by a much broader constituency.” The organization will use the $1.8 million grant to build a privacy infrastructure through common attributes, user-effective privacy managers and anonymous credentials using Internet2’s InCommon Identity Federation service. It will also encourage the use of multifactor authentication and other technologies. Internet2’s partners include the Carnegie Mellon and Brown University computer science departments, University of Texas, the Massachusetts Institute of Technology, and the University of Utah. The intent is for the research and education community to create a scalable privacy infrastructure for the nation’s identity ecosystem. Part of the pilot will include promotion of multi-factor authentication, Klingenstein says. “Because good privacy begins with good security.” The project will create a set of user attributes that represent use cases for the marketplace. But before that can be done there needs to be an under-
28
Winter 2012
Key partners: Carnegie Mellon, Brown, MIT, University of Texas, University of Utah
standing of the context of when an identity might be used. Fundamental to the approach is the group’s concept of user contexts or roles. Klingenstein says there are four typical contexts: employee, consumer, citizen and anonymous. “Our goal is to provide a consistent privacy infrastructure that spans all of those contexts so whether you’re functioning as a citizen, a consumer or a worker, a common set of tools is used in a common way to manage privacy,” he explains. These tools include privacy manager software that enables the user to control the release of attributes and have informed consent. “When somebody asks for attributes, it gives
you the opportunity to say ‘who’s asking and why do they need it?” he explains. The pilot will also be developing metadata mechanisms that can support attributes, context and privacy management. Metadata describes the context, content and structure of records and provides information about format, date, authority and other information. “It’s really metadata that going to give us the scaling to a national and global level,” Klingenstein says. “So we have to press very hard on the metadata boundaries that we currently see and evolve those.” Internet2 will also work on integration of anonymous credentials into the identity ecosystem. The focus is often on low assurance or high assurance credentials, but often neglected are the credentials that enable a user to be anonymous. These credentials exist but have not been widely deployed because of engineering gaps between the credential and the attribute authorities. Klingenstein offers a real world example of how an identity ecosystem might work with Focus: anonymous credentials. Imagine an individual To build a privacy acting in the context of a citizen, participating infrastructure through in a neighborhood wiki conversation about common attributes, landscaping concerns. The conversation only privacy managers and pertains to people whose lawns are really the much-anticipated being affected but we also want to give them anonymous credential. anonymity in the conversation. In this situation the identity ecosystem can know something about where the individual lives to ensure that those involved in the conversation are relevant to it. But it can do so while concealing the identity, thus providing anonymity, for the participants. There are also use cases around the Children’s Online Privacy Protection Act. “In the electronic world there’s no good mechanisms to protect the privacy of children and make sure that when they enter a chat room for kids there’s only kids in there,” Klingenstein says. “I think these technologies can get us a fair bit of the way there.” The anonymous credentials will likely lead to policy issues, the final area in which Internet2 is focused. “Any good technology exposes policy gaps,” Klingenstein says. “It may be the inconsistencies of what people think of as personally identifiable information, it may be inconsistencies of privacy regimes and consent at state, federal and international levels.”
NSTIC PILOTS Go to SecureIDNews.com/podcasts to hear more from AAMVA’s Geoff Slagle (episode 102).
AAMVA Focus: To migrate best practices for identity vetting and credential issuance from the physical world to online environments.
Geoff Slagle
Key partners: Virginia DMV, Biometric Signature ID, CA, Microsoft, AT&T
As the organization representing driver license issuers, the American Association for Motor Vehicle Administrators is no stranger to issuing identity documents. It is leading a group of private industry and government partners to implement and pilot the Cross Sector Digital Identity Initiative. At its core, the system seeks to move the task of being carded from physical locations to the online world with vetting, authentication and biometrics. In addition to AAMVA, the participants in this $1.6 million pilot include the Commonwealth of Virginia Department of Motor Vehicles, Biometric Signature ID, CA Technologies, Microsoft and AT&T. The idea for the project came out of an American National Standards Institute Working Group on identity vetting, says Geoff Slagle, director of Identity Management at AAMVA. “There was a workshop that was looking at this question of ‘is there something we can be doing better to figure out if people are really who they claim to be,’” he explains. This pilot goes to the core of what the national strategy is trying to accomplish building a system that links an identity to an individual. “This continues to be a challenge for people that issue credentials – really knowing that people are in fact who they claim to be,” Slagle says. “Statistics back up the idea that most people are solid citizens but we also have a fair number that try to defraud us when it comes to obtaining a driver license.”
The vast majority of citizens deal with driver license issuing agencies in person. The goal is to try to create a way for them to take some of those activities online. “Before that can happen, the current system needs to be changed,” Slagle says.” Though it may sound simple, the actual implementation has many components. The pilot will involve the verification of information about an individual and then issue a credential to enable trusted transactions. “It will play a role in helping to build a higher level of assurance credential that the individual would be able to use inside of a particular ecosystem,” Slagle says. After enrollment and vetting the system will bind the identity and attributes to the individual with a biometric enrollment, Slagle says. “Someone has a credential that you can have better confidence in because of the vetting process, and they have some kind of biometric that binds them to that credential,” he explains. The AAMVA team is using biometric technology from Biometric Signature ID. It’s deployed as a Web service enabling users to enroll using their mouse, stylus, or touchpad. BioSig-ID captures the speed, direction, length and other unique characteristics of an individual’s signature and stores the enrollment profile in a secure database. Going forward, the individual can authenticate for online transactions in seconds through signature verification.
Winter 2012
29
NSTIC PILOTS Go to SecureIDNews.com/podcasts to hear more from Resilient Network Systems’ Pat Reilly (episode 99).
Resilient Network Systems Key partners: AMA, Aetna, LexisNexis, Kantara, National Laboratory for Education Resilient Network was awarded almost $2 million for two pilots, one in health care and another in education. In health care the company will seek to demonstrate that sensitive health transactions on the Internet can earn patient trust by using encryption technology, on-demand identity proofing and multifactor authentication Resilient will partner with the American Medical Association, Aetna, the American College of Cardiology, ActiveHealth Management, Medicity, LexisNexis, NaviNet, the San Diego Beacon eHealth Community, Gorge Health Connect, the Kantara Initiative and the National eHealth Collaborative. In the education sector, Resilient will demonstrate secure access to resources as required by the Family Educational Rights and Privacy Act and Children’s Online Privacy Protection Act. Partners for this pilot include the National Laboratory for Education Transformation, LexisNexis, Neustar, Knowledge Factor, Authentify, Riverside Unified School District, Santa Cruz County Office of Education and the Kantara Initiative. The goal is to provide secure, but privacy-enhancing verification of children, parents, teachers and staff, as well as verification of parent-child relationships. Resilient builds software that brings three things to the Internet, sys Pat Reilly, executive vice president of business development at Resilient. “First, we
30
Winter 2012
bring the concept of identity, so that when someone is there we can verify that they are indeed the person that they are attempting to portray,” he explains. Second, Resilient enables owners of services, databases and information to set up policies governing what type of individual can access what resources. “This is all about policy on the Internet which really doesn’t exist well today,” Reilly says. Finally, Resilient can obfuscate all of that as well. “Rather than actually letting folks know who someone is, we only let them know that this is indeed a person that meets the policy set by the organization … so we enable privacy for those that don’t want to give out personal information across the Web,” Reilly says. With the grants Resilient will create a team to tackle both areas and build use cases. In health care this means bringing together physicians, insurers, health information exchanges and others. The first use case involves making sure records can be located when a patient walks in the front door, no matter what physician the patient had seen. “Once we have those records from that individual, how can we begin to help give them some coordinated care?” Reilly asks. “How can we share some of the expertise that others have regarding this kind of patient?” There are two things that Resilient is trying to do on the child safety front, Reilly says. “One is to prove a child is a
child, that he or she belongs to a school and that as the parent of that child, I can get records online,” he explains. To do this Resilient partners with the organizations that help manage school information and companies that run media content distribution. This will enable parents to go online and get information from the school but also set up a system for their child so that they can access only appropriate information. This may sound like a simple use case, but that there are a lot of steps that someone must go through to do this today. “Behind the scenes the network will take care of it versus having somebody call people, get somebody else to attest to it, then fax something and sign something,” Reilly says. “We want to use a trusted identity ecosystem to manage all of that.”
What lies ahead? The next 24 months will be telling as five pilot leads and 30 companies attempt to prove different aspects of the identity ecosystem. And still more pilots are likely on the horizon, says Grant, head of the NSTIC Program Office. Federal agencies may use their own budgets to set up systems that would work with the national strategy. The
program office is also hoping to fund additional pilots once the 2013 federal budget is settled. As the organizations deploy systems to make it easier to use high-assurance identities online the amorphous identity ecosystem should become more defined.
Focus: To explore the utilization of trusted identities to protect children online and patients in health care interactions.
Access control isn’t one size fits all either.
Download Our App
Copyright © 2012 ASSA ABLOY Inc. All rights reserved.
From patented key systems to full-featured, online integrated locksets, ASSA ABLOY offers access control solutions tailored to the unique locking needs of each opening. With the industry’s largest range of products, from the most trusted brands, your security dollars reach farther into your facility. Contact your ASSA ABLOY Integrated Solutions Specialist for a consultation on your next project. Visit us at www.intelligentopenings.com/SecurityContinuum.
ADAMS RITE | CORBIN RUSSWIN | HES | MEDECO | NORTON | SARGENT | SECURITRON | YALE
Want help finding the right solution for any opening? Scan this Microsoft® Tag with your iPad® or visit the App Store to download the Security Continuum App for iPad.
anatomy of a password hack Educating users and security managers to withstand modern threats CHRIS CORUM, EXeCUTIVE Editor, Avisian Publications
Most people assume the myriad of passwords they use to log into applications, sites and service providers are relatively safe. They feel relatively safe, rather than extremely safe, because they have read of ongoing breaches and witnessed first hand the advances in computing and subsequently hacking power. Most people are realistic about the complexity of their password selections. Few are among the “14-plus characters, upper and lower case, symbol laden, not-to-befound-in-the-dictionary” group. The average person’s passwords may seem fairly unique, but they are memorable … and therefore they are vulnerable. Password hacking usually evokes images of a bad guy going to the login page at web service, entering the target’s username – most often an email address – and guessing at the password. Many people feel safe because they have been locked out of their own accounts after forgetting or mis-keying a password multiple times. They know their passwords aren’t bullet proof but feel confident it would take a hacker more than three attempts to guess correctly. This lockout feature adds to a mistaken sense of security. That is because lockouts and similar protections do little to stop modern password hackers. They know the username and password before they visit the login page. They cracked it offline hours, days or months before.
32
Winter 2012
The hacker’s paradise Per Thorsheim, security professional and password guru, says an online attack against an individual account via the login screen has many limitations, the most important being the incredibly slow rate at which passwords can be tested. “Tools are available to speed up the process, but they can easily be defeated or at last slowed using rate-limiting countermeasures such as account lockout,” he explains. Offline attacks, on the other hand, are a hacker’s paradise. According to Thorsheim, the only limitation on how fast passwords can be cracked offline is the power of the software and hardware at the attacker’s disposal. And when modern hackers say fast, they mean it. Thorsheim and others say they can make billions of guesses per second using computers and graphics cards available at the local Best Buy. In the typical offline password hack, a database of login credentials is obtained via an orchestrated or accidental breach. In these cases, hackers are not targeting an individual account holder but rather going for volume attempting to crack a bunch of passwords to gain access to many accounts. “Most major leaks involve some kind of attack against an online service, with data copied out of databases and then cracked offline,” explains Thorsheim.
The trouble with hashes Of course, most organizations do not store passwords in the clear or what is known as plain text. Instead they convert the user ’s chosen password to an unrecognizable string of characters using a process called a hash. A hash is an algorithm that when applied to plain text returns a fixed-length unrecognizable string of data. The idea is that a hashed
hashed passwords back into ‘fido’ and other plain text versions. How do they do it? They apply the same hash key used by the system to a plain text password and then compare the hashed version to the list of hashed passwords from the compromised database. If the hash matches any in the database, the hacker has a winner and that accountholder has a problem. If the hacker is targeting a single, specific
FIGURE 1 Password = “fido” SHA-1 Hash = “cc22 a138 b5b0 4eb0 6600 eabb 1a1c d19c cf50 e930”
version of the password can be safely stored in the database, protected should the database ever be compromised. (See Figure 1) A key component of a hash is that it is unidirectional and cannot be reversed. There is no way to apply a cryptographic or other technique to a hash result and determine the original input used to create it. Another characteristic of a good hash is that even a slight change in plain text input will result in a major change in hashed output. This makes it impossible to narrow down passwords by examining inputs and outputs and refining the password. In other words, reviewing the hash of “fidu” or “f1do” or even “Fido” (capital “F”) will not provide clues to help crack “fido”. (See Figure 2)
user and thus password the cracking process can be challenging. But if he has a compromised database with thousands or millions of records and simply wants valid credentials from any account holders, cracking the low hanging fruit is quite easy.
From brawn to brains In the early days, the brute force attack was the prevailing method. The hacker would use an application or script to apply the hash to random combinations of characters and check the resulting hash against the database of actual hashed passwords in search of a match. With modern computers and graphics cards, brute force attackers can do tens of
FIGURE 2 Password = “fido” SHA1 Hash = “cc22 a138 b5b0 4eb0 6600 eabb 1a1c d19c cf50 e930” Password = “fidu” SHA1 Hash = “cd63 b4db 3b4d 50ed 2d51 670b 3e94 80df ac29 52c2” Password = “f1do” SHA1 Hash = “a608 e978 b625 151b 9772 5011 ca5f 47b6 80a6 90d9” Password = “Fido” SHA1 Hash = “c6ea b332 4465 7a4c 4c75 1fa4 7215 5eef 159a a4c8” Infographic source:
In an offline hack, the compromised database of credentials consists of a list of plain text usernames and their corresponding hashed passwords. The hash value for password is not accepted by a system for login, so the trick for the hacker is turning those
thousands to hundreds of billions of attempts per second, says Thorsheim. “Even at such amazing speeds, however, we cannot test every combination possible with a-z, A-Z, 0-9 and special characters at lengths starting from 10-11 and upwards,” he says.
SecurityConverge.com, creator of PasswordGenie, is responsible for many of the graphic icons running alongside this article. PasswordGenie allows users to store encrypted passwords securely on a smart phone, keeping them synced between computers and mobile devices.
Winter 2012
33
Fortunately for a hacker, that is where logical cracking comes to the rescue. Dictionary attacks curb the time required by brute force attacks by hashing common words and combinations of words in search of matches. This attack recognizes the human tendency to select memorable passwords rather than a truly random series of characters. Most hackers rely on dictionaries of real words to expedite the cracking process. Advanced password hackers improve dictionary attacks by studying human password selection techniques and employing this learning to build custom dictionaries. For example, individuals commonly create a password by figURE 3 appending a memorable year to a word or Top 20 passwords name, such as adding a pet’s birth year to his from RockYou.com name – “fido1999.” It is easy to add to a custom dictionary Password Number of users attack, incorporating common pet, human, 123456 290731 athletic team, city and 12345 79078 other names, and even 123456789 76790 appending each with thousands of years and Password 61958 other number strings. iloveyou 51622 And as more and more princess 35231 password breaches have occurred, massive lists of rockyou 22588 actual passwords have 1234567 21726 been compiled. Hackers 12345678 20553 have combined these real selections into their cusabc123 17542 tom lists to create super Nicole 17168 dictionaries. Daniel 16409 Think about it this way. When a database babygirl 16094 containing 6.4 million monkey 15294 LinkedIn passwords Jessica 15162 surfaced in an online forum in Russia in June Lovely 14950 2012, a great deal of michael 14898 the work to crack them Ashley 14329 had already been done. Hacker dictionaries con654321 13984 taining common words Qwerty 13856 and names, slang words, combinations of words, word and number combos had already been hashed using SHA-1. It was simply a means of comparing the dictionaries to the compromised dataset.
34
Winter 2012
It took just seconds for password cracking specialist Jeremi Gosney to break the first 20% of the hashed LinkedIn passwords. Using his custom dictionary of more than 500 million real passwords collected from breaches, leaks and various other sources, he was able to crack 1.4 million without lifting a finger. By applying some basic logical password selection rules to the effort, he had recovered more than half within two hours. In two weeks he had successfully cracked 90% of the 6.4 million hashed passwords. Hackers get smarter post RockYou hack The doors to the password-cracking world literally blew open late in 2009 when the online gaming site, RockYou.com, was hacked. Nearly 32 million passwords were posted to the Internet in plain text. The impact of the breach went far beyond the compromised site, as the data became a goldmine for anyone wanting to understand human password selection. For the first time, researchers and hackers had an actual dataset of massive proportion to explore, rather than one created via surveys, extrapolations and academic research. It was as if everyone in the state of California showed up at DEFCON to share their personal passwords with attendees. RockYou redefined the dictionary attack by providing a glimpse into our secret password creation techniques. Just weeks after the leak, security firm Imperva published an analysis of the password database. The findings were telling, though perhaps not surprising. Individuals tend to select the easiest, most basic passwords that meet the system’s requirements. More than one of every 100 users selected “12345” or “123456” One of three chose a password of six or fewer characters 60% used only alpha-numeric characters Nearly half used names, slang words, dictionary words or other trivial passwords such as consecutive numbers. And hackers learned even more by examining the patterns. Incredibly common were names or words combined with numbers or dates (fido1999); words and their mirrors (fidoodif); and adjacent letters on a keyboard (asdfghj).
They learned more subtle patterns as well that further enabled the fine-tuning of their custom dictionaries. When numeric characters are required, users tend to put them at the end of the pass-
Strengthening passwords Any hacker or statistician will say that there are two fundamental elements to password strength: size of the available character set and
figURE 4 - IMPACT OF CHARACTER SET ON NUMBER OF POSSIBLE 4-DIGIT PASSWORDS Character set
Formula
Combinations
Digits (0 -9)
10^4
10,000
Lowercase letters
26^4
456,976
Case insensitive letters and digits
36^4
1,679,616
Lowercase and uppercase
52^4
7,311,616
Lowercase, uppercase, and digits
62^4
14,776,336
Lowercase, uppercase, digits, and symbols
95^4
81,450,625
word (fido123). If symbols are required, they tend to be used in between combined words (fido$1999) or at the end of the password (fido1999&). When uppercase letters are required, they tend to be used at the beginning (Fido) or at the beginning and end (FidO). Substitution of numbers for certain letters is common, such as “1” in place of “i” (f1do) or “3” in place of “e” (h3llo). The top 5000 passwords used on RockYou list were shared by 20% of users. That means that even if this list has been hashed, any hacker – or even a basic computer user – could crack more than 6 million accounts in no time. With only a bit more work, the number of cracked accounts would reach 16 million as a basic dictionary attack matched names, slang words, and dictionary words. With half the database cracked before the morning coffee was cold, the hacker could then move to more the sophisticated customized dictionary attacks and ultimately brute force attacks to take down others. (See Figure 3)
length of the password. The size of the character set is crucial in determining the strength of a password. It stands to reason that if the pool of potential characters gets bigger, it becomes more difficult to determine each character in a password. This is the reason that, overtime, password requirements have progressed beyond numbers or letters to require alpha-numeric combinations, upper and lower case letters and symbols. With each addition, the size of the character set available for use in the password grows and so too does its strength. The following chart shows the impact of an increasing number of usable characters on the total number of possible password combinations. For the demonstration below, a super short, four-character password is used – of course no one would use such as short password, unless it was for something insignificant like PIN-protecting a bank card. ( See Figure 4) The number of characters also impacts the strength of a password. The increase in strength rises exponentially, not linearly, as the number
figURE 5 - IMPACT OF PASSWORD LENGTH ON NUMBER OF POSSIBLE COMBINATIONS Number of characters
Formula
Combinations
Password length = 4
62^4
14,776,336
Password length = 5
62^5
916,130,000
Password length = 6
62^6
56,800,000,000
Password length = 7
62^7
3,521,614,000,000
Password length = 8
62^8
218,340,110,000,000
Winter 2012
35
of characters increase. The following chart shows the impact of adding characters to a password that uses upper and lowercase letters as well as digits. (See Figure 5)
Passwords vs. passphrases
Weak Passwords
36
Winter 2012
The RockYou hack showed that left to their own devices, individuals gravitate toward weak passwords. As evidence, Imperva research found that 30% chose six or fewer characters and less than 4% included special characters/symbols. Some in the authentication community believe that the use of a phrase in place of a password can help address each of these weaknesses and thus passphrases have been gaining favor. First, phrases tend to be longer than passwords and thus have an inherent strength advantage that comes with additional characters. Even if the phrase selected consists of common dictionary words, its sheer length can add some level of strength. For example, the phrase “i graduated with honors from high school in kalamazoo” is certainly stronger than the word “graduated.” Phrases can easily include, or be required to include, upper and lowercase letters as well as numbers and even symbols. This means phrases can benefit from the strength of large character sets. Example: “I graduated with honors & a 3.8 GPA from high school in Kalamazoo.” Perhaps most importantly, many feel phrases are easier for users to remember than strong passwords. This means the unfortunate tendency to write down passwords on post-it notes or select the same password across sites can be lessened. The sentence above is meaningful and memorable so it should be easier to remember than a password like “gr@du8ED.” The phrase is also much harder to crack using brute force or custom dictionary attacks. But are passphrases inherently better than passwords? “We really don’t know yet, but a general belief is that they are,” says Thorsheim. Still his optimism is cautious. “Cracked passphrases, like those found with the Linkedin breach, suggests that users select “common” phrases from movies, books and
pop culture,” he explains. When common phrases are used, the strength benefits of length can protect against brute force attacks but do little to guard against custom dictionary attacks. Phrase dictionaries are already in development across the hacker community. From the LinkedIn breach, Gosney found numerous examples of easy-to-crack common phrases:
happy healthy wealthy and wise, elvis has left the building, big trouble in little china, save the cheerleader save the world, crisscross applesauce, and work smarter not harder.
Certainly a hashed version of Bartlett’s Familiar Quotations is part of the modern hacker’s toolkit. If a phrase is simply a combination of words, the number of passphrases would seem to be infinite. But Thorshiem suggests otherwise, particularly if you assume perfect grammar, no misspellings and short sentences based on common words used by the average English speaking person. “As we apply all kinds of research into language statistics we may find that there are not that many combinations to test after all,” he says. If words were misspelled on purpose and non-existing words, dialects or incorrect grammar was introduced, would it increase the robustness of the passphrase if attacked? Thorsheim thinks it would, but he warns it could also impair the user’s ability to actually remember the passphrase. “Our understanding of “secure” must include usability aspects,” he says. “It can be easy to create a secure solution, but it is just as easy to make it incredibly difficult to use, with high costs and loss of customers as a direct consequence.”
The scarier truth If one’s LinkedIn social network or RockYou online gaming account is compromised, it is an inconvenience and possibly an embarrassment, but many would argue it is not that big of a deal. The reality, however, is far scarier. Among the things the previous decade of
SALTO Electronic Locking System
THE KEYLESS SOLUTION TO MECHANICAL KEY CONTROL The SALTO Virtual Network - System Description
Features & Benefits
The Wirefree battery operated locks, cylinders and lockers are networked to your server without wires.
· No wiring costs, simple installation and reduced material costs · Adaptable to any kind of door, including lockers and glass door locks · Track events in the facility, such as battery status, access granted/denied and staff activities · Smart battery management and innovative design · Wall readers and door controllers are used for elevators, gates, barriers or speed gates
The link that enables communication is carried by the “intelligent” smart RFID card, which acts as a 2-way data transporter that grants access, provides audit trail and informs about battery status. The wall reader is the updating point and links the credential and the PC. It also permits special functions. FOR MORE INFORMATION PLEASE CONTACT US SALTO Systems Inc. 3073 McCall Drive - Suite 1 · Atlanta, GA 30340 Phone: 770-452-6091 • Toll Free: 1-800-GO SALTO • Fax: 770-452-6098 info@salto.us • www.salto.us • www.saltosystems.com
i n s p ir edaccess
Weak Passwords
breaches taught hackers is that people reuse passwords and password patterns. In his exploration of the LinkedIn data leak, Gosney found three important words in the list of most common base words used within passwords. Among the usual suspects like “love” and “password” he found “linkedin”, “linked” and “link”. More than 1% of all pass-
an specific individual’s car. More likely they simply came to steal cars and they will pick the easiest ones first. If the owner diligently applies a steering wheel lock or other security add-on, it is far more likely that the thieves will choose an adjacent car. That is not to say that they could not break the additional lock and make off with the
words contained one of these terms. What is the ramification of this? If an individual’s LinkedIn password is “bob&linkedin” there is a very good possibility that his facebook login is “bob&facebook”. If he uses the same configuration
vehicle, but it would make no sense when other cars are quicker and easier to obtain. In the same way, if an individual employs strong techniques in the password or passphrase selection process, hackers will crack thousands, perhaps millions, of weak selections before cracking the stronger ones. It is likely that
I don’t think passwords and PINs will ever disappear, but lots can be done to improve the way they are generated, remembered, sent, stored and reset for his email login, a hacker has access to his email account. And that is where he can take advantage of a well-timed reset request at the user’s online banking site in order to get past some of the weaker mechanisms that purport to be multi-factor authentication at bank sites. No matter how insignificant the site or service may be, any breach causes a frightening cascade of risk if a user chooses and reuses weak passwords.
Recommendations for users A parking garage seems a fitting analogy for the state of passwords and protections. Imagine a car parked in a garage with thousands of other cars and a team of auto thieves loose in the garage. It is unlikely they came to steal
38
Winter 2012
the breach would be identified and publicized as accounts were accessed fraudulently. Individuals with still-intact accounts – those with the strongest passwords – would have time to select a new one before the old was cracked.
Are passwords obsolete? Thorsheim believes that a passphrase, or even a password, can provide more than sufficient security if implemented correctly by both system administrators and users. Though it starts with strong password selections, he says it requires much more. “Proper sending, storage and reset practices must be applied, but today most service providers simply don’t do it,” he says. “I don’t think passwords and PINs will ever disappear,” he concludes. “ But lots can be done to improve the way they are generated, remembered, sent, stored and reset.”
Can passphrases strengthen the embattled password? Indiana University says yes, researchers suggest caution Andy Williams, Associate Editor, Avisian Publications
Keeping a university’s computer system secure from outside hackers is only half the battle. Securing the thousands of student computers that log into campus networks on a daily basis is the other half. Protecting the university’s network is an around-the-clock challenge. The most common way to secure computers and networks is the oft-maligned password. But can passwords be secure? “Yes, if you don’t have any users,” jokes Jacob Farmer, manager of ID Management Systems at Indiana University. Since 2006 Indiana University has been fighting this battle with a different solution: the passphrase. This is what the school requires its students to use when connecting to the network, a transaction that happens some 100,000 times each day. The idea of a pass phrase isn’t new. In 2004, Jesper M. Johansson, security program manager at Microsoft Corp., wrote a paper describing the benefits and drawbacks of passphrases. He wrote that passphrases “are coming into vogue for a number of reasons, one being the development of tools that can crack many passwords in minutes.” He cautiously concluded that pass phrases were indeed more reliable than passwords but they were also saddled with some disadvantages. For example, if the pass phrase is lengthy and you’re not a good typist you could have problems entering the phrase. “While no one can conclusively answer the question of whether passphrases are stronger than passwords, math and logic appear to show that a five- or six-word passphrase is roughly as strong as a completely random nine-character password,” Johansson wrote. “Since most people are better able to remember a six-word passphrase than a totally random nine-character password, pass phrases seem to be better than passwords.” That’s one of the reasons Indiana University moved towards pass phrases. “Passwords weren’t strong enough and were cumbersome for users to type,” explains Andrew Korty, Indiana University’s information security officer. “A passphrase is stronger and is more like the sentences people type all the time.” Johansson agrees. “Certainly a pass phrase of nine words is stronger than a password of nine characters but if you can’t type that many words accurately, it is much worse,”
he wrote. “In addition, if the user mouths the pass phrase while typing it, little has been gained.”
Selecting strong passphrases core to IU learning But one of the strongest arguments in support of passphrases is that they’re easier for users to remember. “If you agree that passphrases are easier to remember, use them,” Johansson says. “You will not be worse off than if you use passwords.” Before a student logs into Indiana’s system for the first time, the school’s GetConnected Web site helps set up a university account. “The site will configure a student’s computer so it can meet our network and security standards,” says Farmer. “It provides them with a fairly comprehensive package to help them get off on the right foot from a security prospective.” It also helps the student establish a pass phrase. Each phrase must contain between 15 and 127 characters. It must include at least four unique characters – letters, numbers, or symbols – and contain at least four words. A word must contain two or more distinct letters separated by one or more spaces or other non-letters, not including numbers or the underscore character ( _ ). For example, “little pink houses-4unme” contains four words and is a valid pass phrase. On the other hand, the phrase “Hoagy_carmichael plays123stardust” only contains two words so would not be valid. Because a pass phrase can be quite lengthy, it becomes more difficult for a hacker to crack, explains Farmer. Pass phrases cannot contain the student’s name or username, use the @ sign, the number sign (#) or double quotes. It cannot be a common phrase, such as “to be or not to be” or “April showers bring May flowers.” Finally, the pass phrase should not be based on predictable patterns, such as the alphabet (abc … ) or the keyboard (qwerty). And of course, like passwords, pass phrases are case sensitive, says Farmer. Students and staff are required to change their pass phrase every two years and it is used to access all IU accounts, including email.
Winter 2012
39
BYOD disrupts IT, muddies convergence
Melding physical and logical access tougher as devices proliferate Zack Martin, Editor, Avisian Publications
Convergence of physical and logical access credentials on to one card has often been compared to Bigfoot or unicorns. It’s talked about a lot but rarely seen. This had been starting to change in recent years as U.S. government agencies and a number of large corporations launched converged solutions. But the need to enable mobile devices to access corporate resources has added complexity to convergence. Bring your own device – or BYOD as it’s more commonly known – is disrupt-
40
Winter 2012
ing to corporate IT departments. The problem is the level of work required to secure multiple devices with different operating systems. The alternative is allowing only organization-issued devices, but this can be expensive and risks employee backlash if they don’t like the device chosen. Using the mobile device as an identity credential and to access secure systems is a growing trend. The first draft of FIPS 201-2 didn’t have a solution for using PIV with mobile devices. The outcry caused
major revisions and lead to the proposal that derived credentials be used to secure mobile devices and their access to email and networks. Mobile security is a concern for organizations and users. Employers want to secure access at the lowest possible cost. Employees want to be able to use the device of their choosing without having their employer look over their shoulder or restrict access. The concern today focused on use of the device to access secure information. But in
These phones would be better security than other hardware options – far better than user name and passwords and hardware tokens
the next five years the mobile may replace the plastic ID card as the employee credential, says Allen Storey, product director at Intercede. “Everything is going to migrate to the mobile device,” he says. It’s likely that the first converged systems that use the mobile device will take advantage of the smart card and be a type of derived credential, such as those proposed in the FIPS 201-2 draft, Storey explains. This type of system would have a smart card spawn a credential – typically a lower assurance version – to a mobile device to sign and encrypt email or access networks. There are a couple of ways this could be done. The easiest would be to use an NFC-enabled handset to read the contactless portion of the smart card credential to spawn the lesser credential. The other way is to use a mobile device manager that would take the request from a smart card that’s plugged into a computer and then load the lesser credential on to the mobile device over the air. There are other possible solutions too. The future workplace may not have employees carrying laptops or ID credentials, says Dave Mahdi, a product manager at Entrust. Instead they’ll be carrying tablets with mobile phones. Activate an app on the mobile, tap it against the tablet, enter a PIN and gain access. Some executives or officials who require access to high-security data may still use smart cards, he says. Using the mobile as an identity credential could reap cost savings for corpora-
tions. Enrollment stations, card printers and cards would no longer be necessary and the mobile could be provisioned over the air, says Mike Byrnes, also a product manager at Entrust. “These phones would be better security than other hardware options – far better than user name and passwords and hardware tokens,” he adds. In the meantime many corporation are already placing digital certificates on devices using mobile device managers, says Mahdi. Some are also using one-time passcode applications and text message applications for an additional layer of security to access virtual private networks or other systems. “They’re using those certificates to make sure information in transit is secure,” he adds.
Obstacles to mobile convergence One barrier to using the mobile as a converged credential is the same that has stood in the way of converged credentials for years, Byrnes says. Logical access and physical access are typically two different organizations and don’t play well together. “These are siloed groups that have different budgets and different goals,” he says. Another is the lack of availability of NFC and the restrictions of accessing it. Derived credentials would be simple to use if an end user could tap their NFC-enabled handset on a contactless card to spawn the new credential. “NFC plays a crucial role and is central to this,” Storey says.
In the U.S., mobile operators and handset manufacturers control the secure element and thus the ability to access the NFC capability. Agreements need to be put in place so consumers and their chosen application providers can enable data to be stored on the secure element. Until these agreements are in place, using NFC in an enterprise environment will be severely restricted. There are also concerns about viruses and malware when it comes to the mobile, Mahdi says. “A smart cards has its own operating system and it’s not online so there’s no risk of something running in the background or your card becoming a zombie,” he explains. The mobile device is another story. It’s online and more vulnerable to attack. Policies need to be put in place to make sure the employee knows what may happen in case a mobile device is infected, says David Adams, senior director of product marketing at HID Global. If a phone was infected with malware or corrupted, an employee would have to allow the phone to be wiped. There’s also the idea of containerization for mobile devices, Adams says. All work related applications would be stored in a secure encrypted area and personal applications in another. The two wouldn’t mingle. BYOD and security convergence are coming. While policy and technical issues have to be figured out, these are not urban legends like unicorns or Bigfoot.
Winter 2012
41
Turning NFC-enabled BYOD smart phones into secure credentials Lessons learned from early access pilots Debra Spitler, Vice President, Mobile Access Solutions, HID Global
The Bring Your Own Device movement coupled with near field communication-enabled smart phones are on a course to change enterprise identity management. The latest pilots of mobile access control reinforce the need to support both of these trends with an infrastructure that delivers security and an optimized user experience. This will require over-the-air credential provisioning and management within an ecosystem of interoperable products and services.
HID Global explored these issues during pilots of NFC-enabled smart phones with Netflix and Good Technology. In both pilots, proximity readers used with cards, key fobs or tags were replaced with HID Global’s iCLASS SE access control platform including iCLASS Seos credentials that are portable for use on NFC-enabled smart phones. Both Netflix and Good Technology cited the convenience of the mobile access control model as a key benefit for the enterprise, especially in a BYOD environment. Today’s workers treat their mobile
42
Winter 2012
phones almost like an extension of their identity. They are authenticated by their financial institution using these devices so they know they can trust them. They also store their memories, photos and videos on them, so they literally are an extension of their identity. Furthermore, employees carry these devices wherever they go, and are far more likely to forget or misplace their badge than their phone. In order for mobile access control to be successful, it must be extremely easy to use. In each pilot, participants uniformly felt that the mobile access control model
was more convenient than what they were currently using. Another observation that was shared after the pilots was that there is a critical need for everyone in the industry to be in lockstep, contributing to a shared vision for the deployment and use of mobile credentials. It is believed that, over time, users will organically migrate to the solutions that give them the device features, applications and credentials they want to use. It will also be very important that all solutions be hardware- and platformindependent and based on open standards
so that investments in today’s solutions can be leveraged in the future. Improved security was also important to both companies that participated in the pilots. One impetus for enterprise deployment is that it enables companies to treat physical access just like any other entitlement from an IT perspective and to tightly couple the two. In other words, the way in which access is granted to an IT system and a door reader should be similar. The mobile platform is also seen as an ideal convergence point for device, identity and access management, especially in highly regulated industries. The security of the mobile access control model is ensured through a) the use of a new type of identity representation, b) the smart phone’s secure element, and c) a trusted boundary so that BYOD smart phone and its transactions can also be trusted within the access-control managed network. Smart phones that do not feature NFC technology can be securely upgraded to this capability by using an NFC-enabled add-on device such as a microSD card. Digital keys and credentials are provisioned either by connecting the mobile device to the Internet or over the air via a mobile network operator and Trusted Service Manager. The personal privacy of BYOD users within a mobile access control environment is also important. There is tension
organizational data residing on a private mobile device by first creating a remotely-managed encrypted zone inside this device and then, according to policy, limiting interaction between this zone and the rest of the device. All applications and other ID credentials are containerized between personal and enterprise use and strong authentication is required to access the applications and data. Security will be further optimized through new applications that can be used with digital keys and cards, for example, an application for pushing multi-factor authentication to a phone if the threat level rises. In government applications requiring strong authentication, smart phones will need to support PIV credentials that are used by U.S. Federal workers, derived credentials and Public Key Infrastructure. In a BYOD environment, this combination of derived credentials with a containerization solution will also drive the requirement for hierarchical lifecycle management so there is a distinction between PIV and personal credentials when it comes to provisioning and deprovisioning smart phones. Enterprise users also will likely use smart phones for network and application logon, as well as opening doors. This puts a focus on cloud storage security. The best approach is federated identity management, which enables users to access multiple applications by authenticating to a central portal. This supports a variety of authentication methods without requiring any device changes. It also meets compliance requirements by providing a centralized
audit record of any accessed applications and can support a hybrid environment of both plastic cards and smart phones. A number of opportunities were identified during the Netflix and Good Technology pilots to improve the mobile access control experience as the industry moves closer to deployment. This includes bringing more mobile network operators and handset manufacturers
employees carry these devices wherever they go, and are far more likely to forget or misplace their badge than their phone between employees who want to carry their own smart phone and IT teams that must enforce organizational requirements for strong authentication. Containerization is a potential solution. It enables companies to secure
Winter 2012
43
participants cited the need for an “always on” access control experience, which requires that NFC handsets be able to open doors without having to start an app into the ecosystem so that users have more service and product choices. Additionally, participants cited the need for an “always on” access control experience, which requires that NFC handsets be able to open doors without having to start an app. It will also be essential that secure elements – either embedded in the phone or in their subscriber identity module (SIM) cards – are made available for over-the-air communications directly with service providers. Pilot participants highlighted the need for solutions that do not excessively drain battery, are available even when the battery is dead, don’t interrupt other tasks and deliver an intuitive user interface.
44
Winter 2012
The convergence of physical and logical access control on BYOD smart phones and other mobile devices promises many valuable benefits, including improved convenience, more flexible management and enhanced security. The foundation has already been laid for highly secure transactions between NFC-enabled smart phones, computer and networking resources, physical access control systems and a new cloud-based and over-the-air identity delivery infrastructure. HID Global’s iCLASS Seos is standards-based technology to manage and authenticate identities and can also be used across multiple form factors including NFC smart phones.
Netflix, Good Technology test NFC For physical access control Andy Williams, associate editor, Avisian Publications
Two corporations piloted NFC for physical access control with 80% to 90% of end users finding the system intuitive and easy to use. Netflix and Good Technology tested the solution from HID Global replacing either cards of key fobs with microSD cards embedded into Samsung Galaxy S III handsets. The phone has built-in, native NFC technology that can be used to share data between phones, read NFC tags and conduct payments. It does not, however, support the NFC standard’s card emulation mode which is needed for mobile access, says Debra Spitler, HID’s vice president for mobile access and project manager for the two pilots. Hence, a microSD card with
range extender from Device Fidelity was added to enable the feature. “To provide such support, either the handset manufacturer or the mobile network operator needs to provide communication access to the embedded secure element via a trusted service manager,” says Spitler. “The U.S. mobile network
operators do not have active trusted service manager so there is currently no means by which to use card emulation.” The pilots started in late summer and both companies continue to have individuals using their smart phones for mobile access, says Spitler. Good Technology, which provides mobile data security solutions for its customers, was using HID prox cards for door access prior to the start of the pilot. Netflix was using HID proximity key fobs. HID Global’s multiCLASS SE readers replaced the proximity readers at select locations in both the Netflix and Good facilities. The Samsung phones were equipped with HID digital keys that store and emulate user credentials. When a microSD is used for the HID Seos applet – as opposed to the applet being stored in a SIM or embedded secure element – HID can communicate over-theair with the microSD and Mobile Keys app on the handset via the ASSA ABLOY Mobile Keys ID Service Provider Trusted Service Manager. “This allows us to provision and de-provision HID digital keys over-the-air to the handsets,” Spitler says. If the NFC capability was housed in the SIM or embedded in the handset’s secure element, the network operator or handset manufacturer would control access and provisioning. In the future, this process will take place via the HID Security Identity Services portal. Using the portal, a customer will purchase digital keys from their access control system provider just like they purchase cards today, Spitler explains. Rather than delivering programmed cards, HID will deliver the digital keys
to the customer via a secure Web portal. The customer will then access the portal to register the handset to a specific user and then assign a digital key from their key vault to the handset. Once this is complete, that digital key will be entered into the access control database and assigned access privileges. As mobile network operators and handset manufacturers put Trusted Service Managers in place, HID will have connectivity to them such that the Seos applet, mobile keys applet and digital keys could be delivered over-the-air from HID to the Trusted Service Manager and ultimately to the handset, Spitler says.
Netflix Netflix was motivated to participate in the pilot because it wanted to make access control more secure and more convenient, explained Bill Burns, director, Netflix IT Networking & Security, during an HID strategy briefing at the 2012 ASIS International conference. “We didn’t want people to have the burden of a separate token and we knew that they were using their phones,” says Burns. The move from less secure prox technology to contactless smart cards was a benefit too. “The implementation of mutually authenticated cards and readers was really appealing to us,” Burns says. To get employees ready for the NFC test, Netflix first gave them the option to affix microprox tags – coined-sized proximity stickers – to their phones. These coin-sized microprox tags were adhered to the back of their phones. “They could
Winter 2012
45
46
Winter Fall 2012 2012
wave their phone in front of the reader to access the building,” says Burns. “They thought this was pretty cool.” The microprox tag was used because Netflix had proximity readers already on site. At the time of the mobile access pilot, about 44% of Netflix employees had moved to the prox tag. Sixteen were then chosen to participate in the NFC pilot and provided the Samsung phone. Feedback from Netflix employees has been excellent, says Burns. “They love the technology.” However, employees also wanted more choices when it comes to the handset. The Netflix test involved “one particular phone, one particular operating system and the feedback we got is that they really wanted a choice,” Burns adds. “They wanted to use different mobile operating systems and different handsets.”
Good Technology At Good Technology, ten employees were initially involved but by the pilot’s end, 25 were on board, says Chris Webber, senior product marketing manager for Mobile Security Platforms at the company. The use of NFC-enabled phones for access control worked for the company, says Webber, who spoke at the same HIDsponsored ASIS conference. “We live and breathe mobility every day, so having this as a natural extension of the mobile device made a lot of sense,” he says. “For that reason it wasn’t surprising to me that people took to it very naturally.” Webber admitted to forgetting his work badge from time to time. “But I never forget my phone at home or at my desk,” he says. “Being able to use my phone, rather than a badge, to open doors really simplifies my daily routine.” Pilot participants didn’t require any training. “What was interesting was that folks that weren’t in the pilot were pulling their own phones out and giving it a try. That’s how natural this technology just seems to folks.” He later had to put up signs explaining the pilot so employ-
ees wouldn’t keep trying to open doors with their phones. An additional aspect of the physical access technology was tested at Good Technology. The company extended the pilot to evaluate the use of an NFC-enabled Sargent SE LP10 lock on an interior room door to an executive’s office. The office was used as a temporary conference room when the executive was away. The executive was able to select the individual employees and specific times where access would be granted to the office.
The results According to HID’s third-party survey, more than 80% of Netflix respondents felt that the application for unlocking a door was intuitive, and nearly 90% described it as easy to use. This was echoed at Good Technology, where more than 80% felt the smart phone was more convenient to use than their current access card, primarily because they never forget their phones like they do their badges. More than 83% of Good Technology participants felt that the company’s physical security was improved using a
try moves closer to deployment. This includes bringing more mobile network operators and handset manufacturers into the ecosystem so that users have more service and product choices. Webber sees Good continuing to utilize the technology. “We want to leave what we have in place, because the readers work with our plastic cards as well,” he says. He also intends to test new uses for NFC. “How cool would it would be if an email sent to my phone could grant me access, for example, to the Dallas office for Wednesday through Friday?” asks Webber. HID is continuing its work to encourage implementation of the technology. “We’re happy to see that we’re getting more people involved,” says Spitler. “HID remains
Being able to use my phone, rather than a badge, to open doors really simplifies my daily routine.
smart phone rather than a card. Among Netflix participants, 87% say they would want to use a smart phone to open all locked doors at the company. The pilots highlighted a number of opportunities to improve the mobile access control experience as the indus-
committed to working with the handset manufacturers and mobile network operators to complete the ecosystem that will support the use of natively-enabled NFC smart phones for physical access control.” There are also possibilities for applications besides physical access with NFC too, Spitler says. “In talking with HID customers, we found there was certainly interest in being able to use an NFC phone for other applications, just as customers do with their plastic HID cards,” she says. “They’re looking to us to work with third parties to enable hardware to work with the mobile phone,” she says. She highlights multifunction printer control, time and attendance and vending payments as just a few of the possibilities. “I see a parallel with using the phone like you would use a card today,” she concludes.
Fall 2012
47
Choosing the right card printer for your company navigating the showroom floor Andrew Hudson, Contributing Editor, Avisian Publications
48
Winter 2012
E
mployee ID credentials have advanced greatly in recent years, but as new security features and materials are added to the mix one constant remains: the need to print and personalize the badge. Choosing the right card printer is like purchasing a car in that the buyer must balance wants and needs. While the organization may want the Ferrari of printers they must ask, is it feasible? Reliable? Maintainable? Will they even know how to drive it? These are concerns that decision makers from every company – large or small – grapple with when investing in a card printing system.
Different sizes, different drivers Shane Cunningham, marketing communications manager for Digital Identification Solutions echoes this sentiment. “For businesses of any size that have tight budgets and ever-changing needs, the keys are versatility, reliability and a low total cost ownership.” When it comes to ever evolving card technology, companies must be mindful of versatility. “They need to look for solutions that can meet their current needs but can be easily modified should needs change,” says Cunningham. Versatility, along with the size and ambition of the operation, should be the lens through which any end-user views the card printer market. Small operations should look for solutions that will be easy to implement, operate and maintain – it is a case of simplicity. Features such as easy loading of card ribbons as well as integrated card design software within the printer are extremely valuable, says Alan Fontanella,
vice president of Product Marketing for HID Global. “For small organizations with few employees and who require basic ‘one-off’ card design, embedded card templates located within the printer browser can eliminate the need for separate software installation.” For small businesses, solutions that feature greater ease of installation are invaluable. “The printer should come with integrated software so they can be up and running fast,” says Kathleen Phillips, vice president of distributed issuance at Datacard Group. Integrated software benefits smaller businesses by offering built-in card design capability, explains Fontanella. “Some printers include an embedded badging application that provides a ‘plug and play’ feature for creating simple card designs satisfying basic ID card printing needs.” “A user can custom design and print a card quickly using the included design templates, eliminating the need to install additional card personalization software,” says Fontanella. As the size of a business increases so too do its ambitions. For this reason, larger operations should seek out more powerful printing solutions. “These organizations typically seek intuitive and scalable printers that can meet evolving requirements,” says Fontanella. Efficiency often goes hand in hand with growth, and for larger businesses, time is of the essence. “Mid-size business should look for printers with speed and performance to enable printing large quantities of cards at select times,” says Phillips. Planning for the future of both the organization and card printer technology is key for any operation but as the size of the business increases this foresight becomes more crucial. “The printer solution should be modular, with the ability to add dual-sided printing functionality in order to scale in
parallel to an organization’s growth,” says Fontanella. As with small businesses, the idea of versatility comes into play with mid-size firms as well. “Mid-size companies often require electronic personalization and encoding to support their technology migration needs,” says Fontanella. “Printer and encoder solutions should be capable of accommodating magnetic stripe as well as more robust card technologies to support an organization’s transition from one technology to another.” Larger companies must be familiar with technological advancements in printing – namely security – as they often have both the security demands and the resources to employ the most advanced solutions. “Larger businesses need to be cognizant of security features the printer offers – do they need features like fluorescent printing or custom laminates?” says Phillips. Large organizations are also concerned with print speed and quantity. “They typically require high throughput for growing staff requirements, contractors and visitors,” says Fontanella.
A user can custom design and print a card quickly using the included design templates As quantities increase, concerns regarding security are sure to follow. Fortunately, with options like holographic over-laminates, forensic features and holograms, large operations may already have the answers they need. “Enterprise and government organizations are increasingly looking for risk-appropriate card personalization systems that address diverse requirements for anything from basic ID badges to highly secure credentials that use hardware lamination modules for added secure visual personalization,” says Fontanella. Additionally, larger businesses often have multiple offices where linking disparate databases or linking securely to a central database is vital. In such instances security is a necessary expense and a robust, comprehensive solution is required. “Large businesses with multiple offices or locations should seek a card personalization software solution that seamlessly
Winter 2012
49
showroomfloor HID
DataCard
Evolis
Digital IDentification solutions
50
Direct-to-card printing
Retransfer printing
Also known as: Dye sublimation, dye sub, dye sublimation thermal transfer, D2T2 and surface printing
Also known as: Reverse image
This printing technique involves the use of heat to transfer dyes from a ribbon directly to a plastic card. The printer ribbon is stained with a waxy substance containing different colored dye panels – cyan, magenta, yellow and sometimes black – which is then combined in specific amounts on the card to create a full spectrum of colors. The print head applies heat at precise locations and temperatures, thus converting a specific amount of dye from solid to a gas and transferring it into the card’s material.
With this technique, the device first prints images onto a special film that is then fused into the surface of a blank card through heat and pressure. Because the graphics and text are printed on the underside of the film, the image is “sandwiched” between the film and the card. This process produces excellent print quality, is durable, and provides the ability to print cards with embedded technologies such as contact or contactless smart card chips.
Winter 2012
links internal and external databases to create cards over a network,” explains Fontanella.
The bells and whistles The features offered by modern card printers are vast and advancements are being made on both the card and card printer fronts. This requires end users to identify which features to demand and which to avoid. “These hardware and software features are traditionally tied to the user profile of the organization,” explains Fontanella. These user profiles are comprised of a number of wants and needs. The customer must ask questions like will the cards be contact or contactless smart cards? How many cards will be printed? Do multiple types of personalization need to be supported? On what OS will the printer operate? For contact and contactless smart card printing, retransfer technology will certainly be a desired feature. Using a special film that fuses smoothly to the card’s surface, retransfer printing produces a sharper, higher quality print than direct-to-card surface printing methods. “Retransfer technology doesn’t print directly to the card’s surface, which eliminates the risk of misprints of expensive cards due to surface or sub-surface irregularities or abnormalities,” says Fontanella. The card landscape is an ever-changing one and the end user should be ready for any contingency, Cunningham says. “With all of the various encoding, printing and laminating options out there now, you need a system that at any moment could switch out technologies or personalize multiple technologies simultaneously,” he adds. “Each project manager should evaluate what features are needed for their current issuance programs, keeping in mind where they would like to be in three to five years and then select a solution that can get them there most efficiently,” says Cunningham. While there are a multitude of features available, never overlook simplicity, says Kurt Bell, sales director at Evolis. “One of the most important factors is basic operation,” he says.
The latest technologies and features in card printing can often overshadow other important aspects of the decision making process. Bell implores the consumer to consider the logistics of the printing operation before making a purchase. “Consider where the printer will physically reside within your location,” says Bell. “In some work environments rear loading printers – both cards and ribbons – are problematic.” Bell raises an important point. Regardless of the printer or chosen, the burden ultimately falls to the consumer to operate it. “Some printers have cartridges that are easy to drop in and the ribbon type is automatically detected by the printer,” he says. “Others use rolls which are less obvious to install and the printer will need to be manually configured for each ribbon change.” General ease of use is of particular concern to smaller businesses where more novice operators will likely do printing.
Keep it clean Loading is only one of the factors of maintenance. Cleaning is also a regular function of card printer care. “All card printers require regular cleaning,” says Bell. “Some let you know when it’s time to clean, others don’t … and cleaning on some models is more difficult than others.” Printer cleaning may not be the sexiest part of the card printing process, but it’s a necessary function and one that should be considered during the purchasing decision process. “Most manufactures have videos on their web sites that show basic operation and maintenance – watch them before making your decision,” says Bell.
Laser engraving adds security, cost
Laser engraving is a newer alternative to traditional card printing that is gaining momentum. Used primarily in high-end security and identity card projects, laser engraving offers the consumer an interesting alternative. “Laser engraving by itself reduces supply costs in that you do not have ribbon or film costs, but requires specific card bodies that cost significantly more per card,” says Shane Cunningham, marketing communications manager for Digital Identification Solutions. The demand for laser engraving is growing, and the benefits of the technology are evident, but the cost to be on the cutting edge is significant. “Combination solutions, such as color retransfer, high res UV and laser engraving with a custom laminate, could cost you upwards of $100k for the hardware/software, and $2 or more per finished card,” says Cunningham.
Winter 2012
51
Fontanella also sees the value in proper cleaning and maintenance as a tool to reduce total cost of ownership. “Even though the maintenance of card printers is generally inexpensive, it is still a valuable habit to routinely maintain the hardware,” he adds. “Regularly cleaning print heads and the card feeding mechanism can limit the risk of more expensive service and replacement.”
to pay a premium – be wary,” he cautions. That being said, it is the software that will enable the printer to meet all the requirements the consumer is seeking. Consulting the web site of the printer manufacturer or calling directly are ways that the consumer can verify that the software capabilities of the printer will meet the necessary benchmarks.
The price tag Wants, needs, features and software aside, a primary concern for any consumer will forever be the price. Valuing a card printer, however, goes deeper than a simple price tag as main-
Under the hood Software is another crucial element to the card printer and can be the make-or-break for many consumers. Thus it needs to be examined closely prior to purchase. “Integrated software is key to maximizing the capabilities of the printer,” says Phillips. The first thing to consider when looking at the software of a card printer is which operating system the printer will run on and whether or not the printer will support the consumer’s preference. While this seems a rather straightforward concept, there are some details that muddy the picture. Some printer manufacturers restrict access to certain advanced features to inhibit the functionality of third-party software, says Bell. “This is done to protect their own software sales for which the customers are forced
52
Winter 2012
For total cost of ownership, the key is to calculate the initial cost of the unit, the cost for supplies and an honest estimate of service or repair costs over the lifetime of the card project tenance, consumables and cost of initial deployment must all be considered. “The cost for initial deployment varies based on a number of factors,” says Fontanella. “The number of employees in an organization, the type of card to be used, the level
of personalization and the risk-appropriate level of security or durability desired.” This is where the consumer’s research becomes vital. The total cost of ownership will always be dependent upon the context in which the printer will be used and the technologies it will need to personalize. Maintenance costs vary but are typically low. More crucial to the overall cost of the printer operation, however, is the cost associated with consumables. Cunningham agrees with this concept. “Cost of systems and supplies depends on the solutions put in place, whether its monochrome data or bar code printing, full-color direct-to-card or higher end color retransfer and UV printing.” Lamination is a common part of card printing and the prices associated with the various laminates available can vary significantly depending on customization and features, explains Cunningham.
So what’s the bottom line? By taking into consideration the ongoing requirements of a printing operation, the actual cost of ownership comes into view. “For total cost of ownership, the key is to calculate the initial cost of the unit, the cost for supplies and an honest estimate of service or repair costs over the lifetime of the card project,” says Cunningham. As with any purchase, the process of selecting a card printer entails a series of trade-offs and considerations ultimately leading the consumer to an informed decision. “A reliable and versatile system may cost more up front, but can reduce your downtime, maintenance and replacement costs later,” says Cunningham, “saving you more money in the long run and providing better cards in the meantime.” Being informed is the key. Realistically balancing wants and needs, formulating a workable budget and preparing for operation and maintenance needs is essential. When done properly, any organization can drive away happy.
Get security and convenience... along with reliability and a
compelling ROI. With Lumidigm, you don’t have to compromise. We call this the Lumidigm Advantage™. Quite simply, our patented multi-imaging approach to identification and authentication is the best there is. Lumidigm technology was specifically developed to address the shortcomings of conventional sensors that force users to choose between security and convenience. For more information about the Lumidigm Advantage, visit www.lumidigm.com. We are available at +1 (505) 272-7057 and sales@lumidigm.com to answer your questions.
AdvantageTM
e-passport and BORDER CONTROL update Europe Union The new Schengen Visa Information System (VIS), first launched in September 2011 in the consular posts in North Africa, will be expanded to the Near East and Gulf regions and should be connected to all Schengen States’ consular posts worldwide within two years.
USA TSA started testing new technologies to identify altered or fraudulent passenger documents and boarding passes at selected international airports. The Credential Authentication Technology–Boarding Pass Scanning System (CAT-BPSS) scans a boarding pass and photo ID and authenticates the pass by automatically verifying the name.
Panama The Government of Panama chose a consortium to supply ePassports. The first biometric passports are expected to be issued in early 2013.
Chile The national records administration (Servicio de Registro Civile Identificación) will issue ID cards and ePassports under its new identification and travel document issuance system.
Netherlands A pilot project of automated border controls was launched at Schiphol Airport that can identify forged passports and wanted persons. Electronic gates equipped with facial recognition check passengers’ identities with digital passport photographs. France Toulouse-Blagnac Airport is testing SIM-based Near Field Communication (NFC) technology to allow passengers to pass through the airport’s controls and gates using only their mobile phones. Germany A new electronic residence permit is being issued to nationals from non-EU countries. Technically similar to the new identity card for German nationals, the card has a chip containing biographic and biometric data (facial image and two fingerprints).
Czech Republic Czech border police implemented an EasyGo eGate system at Prague Ruzyne Airport at the end of 2011, which verifies the authenticity of travel documents based on optical and electronic security features. A gate camera records a live image of the traveller, which is compared by the system to the passport photograph.
Moldova To increase security of national passports, 35 biometric data capture stations and 200 fingerprint readers were installed. Moldova’s new ePassports include digital facial photos, fingerprints and other document security features to prevent forgery and identity fraud.
Argentina Argentina started issuing new biometric passports in June 2012. Increased passport security will facilitate new visa-free agreements for Argentinean nationals.
Chart Source: ICAO MRTD Report Volume 7 Number 2 54
Winter 2012
Progress remains slow on e-passport inspection The issuance of electronic passports has been ongoing for more than six years, and to date more than 93 countries have issued some 345 million documents. What continues to lag, however, is the verification of the data on the e-passport chip. The whole idea was to make the documents more secure by reproducing the information from the passport’s data page on the contactless chip. Some 24 countries are reading e-passport at the borders, says Mark Joynes, director of product management at Entrust. This may sound encouraging, but just because a country claims to be
reading the chip does not mean they are doing it at every border checkpoint. An airport may have one immigration checkpoint that is checking the chip out of 50. “It’s spotty in a lot of locations,” says Joynes. Part of the reason for the single locations is that officials are in a testing mode. Border officials don’t want the chip verification to slow processing and add to already long lines, Joynes says. In places where reading is done, most are just using the Basic Access Control security, says Joynes. This requires the immigration official to swipe the machine-readable zone on
Estonia New passport enrollment equipment deployed by the Police and Border Guard Board makes passport application and enrollment available nationwide for Estonian citizens Latvia Latvia is se!ing up a new infrastructure for issuing and verifying electronic ID documents. This new PKI system enables verification checks of passports and identity documents at border control posts and all Latvian embassies across the globe. Algeria Algeria started issuing new ePassports in early 2012. The progressive roll-out of biometric passports is expected to be completed by the end of the year.
the passport before it can read the chip. The exception to this is among European Union Member countries, which will be required to add fingerprint and/or iris data to travel documents with the biometric information protected through Extended Access Control. Extended Access Control makes sure that only authorized entities are able to access biometric data – iris and or fingerprint – stored on the contactless chip. The scheme includes the authentication of a passport inspection station to the contactless chip as well as the authorization of that inspection station to access the protected biometrics.
If countries are reading the chips in the passports, it’s likely they are just checking their own citizens, Joynes says. In order to check the data on other country’s e-passport there needs to be a “Single Point of Contact,” a standardized mechanism for certificate management using Extended Access Control for electronic passports. Countries haven’t deployed these systems yet. The economic downturn is the main reason that countries have not widely deployed e-passport inspection systems, concludes Joynes.
Russia Biometric ePassports with fingerprint data are now being issued by the Russian Federal Migration Service.
China New biometric passports issued May 2012 have a digital chip storing personal details, facial image and fingerprints. Over 38 million Chinese are passport holders with an expected 20% increase annually. Indonesia Jakarta’s Soekamo-Ha!a International Airport launched Indonesia’s first eGate system, which ePassport holders can use at two international departure gates and eight international arrival gates.
UAE Dubai Airport opened a new eGate system based on biometric face recognition to speed travelers through border control. Rolled out in terminal three, the new system will be installed across all the airport’s immigration controls.
New Zealand The new Immigration Global Management System (IGMS) will see further improvements to Immigration New Zealand’s identity management systems, enabling real-time biometric checks internationally as well as introducing face biometrics and biometric alert lists.
Winter 2012
55
Feds require multifactor authentication for Health IT Higher levels of assurance a necessity
Michael Magrath, Director of Business Development, Government & Healthcare, Gemalto
T
he health IT landscape appears to be changing for the better when it comes to strong authentication. The U.S. Department of Health and Human Services’ Office of the National Coordinator for Health IT voted Sept. 6 to require multifactor authentication in certain cases involving remote access to patient health information. When previous recommendations neglected to include stronger authentication requirements for health care professionals accessing electronic health records, the Office of the National Coordinator essentially put patient privacy and security at risk. They essentially swept security and authentication under the rug in the hope of increasing physician adoption of electronic health records. The Coordinator’s Office did not want to impede adoption of electronic records by making it difficult to use them. The current minimum requirements for identity assurance are set low requiring only a strong password. The reality is the Coordinator’s Office played Russian roulette, hoping that security breaches would not occur due to weak username and password authentication. Sadly security breaches did occur. As required by section 13402(e)(4) of the HITECH Act, the Secretary of U.S. Health and Hu-
56
Winter 2012
As of late September, there have been 29 reported breaches classified as “Hacking” with more than 1.3 million individuals affected man Services must post a list of breaches of unsecured protected health information affecting 500 or more individuals. The list of breaches reported to the Secretary are posted at on the Department of Health and Human Services website. As of late September, there have been 29 reported breaches classified as “Hacking/ IT Incident” with more than 1.3 million individuals affected since the list was implemented in 2009. The largest and most disturbing incident occurred on March 30, 2012 when a hacker from Eastern Europe illegally accessed a Utah Department of Technology Services server containing Social Security Numbers for Medicaid claims. More than 780,000 claims were accessed, 280,000 had their Social Security numbers stolen and 500,000 had less-sensitive personal data, such as
name, date of birth and address, compromised. A weak password was to blame. It is well documented that the majority of all network attacks occur at the account level, where user credentials are falsified to gain access to critical information. No matter how well a network is secured, the user is the weakest link particularly when the password is the primary means of protection.
Health care should consider the highest of assurance With the Sept. 6 decision to require multifactor authentication, health IT systems will begin to align with NIST’s Level of Assurance Three for authentication. This will hopefully be sufficient to protect patients’ privacy and security. However, if the Coordinator’s Office references only Level of Assurance Three, the majority of health care organizations will seek only those solutions without considering the stronger Level of Assurance Four options. The language should state Level of Assurance Three or Level of Assurance Four and clearly explain the differences. It should highlight the additional security and multipurpose capability a Level of Assurance Four solution can offer to reduce fraud,
Fall 2011
Winter 2010
Winter 2011
Fall 2010
Summer 2009
Spring 2011
Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews Regarding ID Magazine – a survey of identification tecÚology • SecureIDNews • ContactlessNews CR80News RFIDNews Regarding ID•Magazine – a •survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews
ID AS A SERVICE
Biometrics FOR PHYSICAL ACCESS CONTROL Match-on-card, spoofing, gait and more
Outsourcing identity and credentialing matures
✽ Visa: ‘Yes’ to U.S. chip-and-pin ✽ Phones replace cards for access ✽ New mandate puts PIV to work
HACKING The impact of smart card and security hackers
BIOMETRICS
Making the Case FOR FIRST RESPONDER IDS
• 2010: The year that wasn’t • Health care’s security breach • Germany’s contactless national ID
IDENTITY
TOP TRENDS IN
• Beyond the NFC hype • ePassports spread to half the globe • Voter IDs, Health IDs, Traveler IDs ... reid_fall10.indd 1
Iris at-a-distance takes biometric center stage
• Biometric social security cards • White House pushes online ID • Next generation e-passports
Health care mulls identity options EMV takes aim at U.S.
The
MOBILE AS A CREDENTIAL
Is the handset the ID of the future? • Contactless pickpocketing • INTERPOL’s converged ID • Facial recognition gets real
8/31/10 11:06:28 AM
Own the entire collection
Get 1000+ pages of ID insight Receive 70% off for a limited time (just $60)
- Educate new employees - Refresh your industry knowledge - Research for presentations - Review best practices - Gain a competitive edge
For the first time, AVISIAN is offering all back issues of their industry leading re:ID magazine in a packaged set. You receive three year’s worth of top-notch news and insight – 25 issues of re:ID and six issues of CR80News magazine. Plus you get password-protected access to our online library with more than 20,000 articles and 1200 members-only articles.
visit store.avisian.com | select re:ID back issue collection | enter discount code “SAVE70”
protect patient privacy and secure access to electronic health records. A Level of Assurance Four system with smart card technology provides mechanisms for authenticating others who want to gain access to the card. These mechanisms can be used to authenticate users, devices or applications that want to use the data on the card’s chip. These features can be utilized by a system to protect privacy by, for example, ensuring that an electronic health record application has been authenticated for the appropriate access rights before accessing the health information or functions on the card. Additional benefits provided by smart card technology include a robust set of encryption capabilities including key generation, secure key storage, hashing and digital signing. These capabilities can be used by a system to protect privacy in a number of ways. For example, a smart card system can produce a digital signature to validate the authenticity of an email when a health record is exchanged from provider to provider or an electronic prescription is transmitted to a pharmacy. This protects the message from subsequent tampering and provides the recipient with an assurance of where it originated. The fact that the signing key originated from a smart card adds credibility to the origin and intent of the signer. The reality is Stage Three requirements will not go into effect until 2015 leaving plenty of time for the breaches classified as
or electronic prescribing. Physicians often are affiliated with more than one hospital meaning they may have several credentials per hospital. These all cost money and can be difficult for physicians to manage. Health care organizations are already purchasing Level of Assurance Three solutions to comply with the U.S. Drug Enforcement Agency’s requirement for the electronic prescription of controlled substances. In most cases they are additionally still issuing proximity cards and flash passes.
PIV-I: A multi-purpose, Level Four credential As a Level of Assurance Four credential, PIV-I is available from multiple sources and meets or exceeds every authentication requirement already mandated or being discussed in Washington for the health care industry. PIV-I has been recommended by FEMA and is the credential being deployed as the First Responder Authentication Credential by several state and local governments because it is standards-based, non-proprietary, trusted by the federal government and can be used for multiple purposes. The first responder population encompasses approximately 20 million people in the U.S and health care professionals represent a significant percentage of this population including the nation’s four million physicians, nurses and emergency medical technicians. By putting a FRAC in the hands of the medical community, local authorities will be able to rapidly grant access to only qualified individuals during emergency situations like Hurricane Katrina. As a patient in the U.S. health care system, it is pleasing to see that Office of the National Coordinator appears to be addressing security. Let’s hope the system isn’t undermined prior to 2015.
The reality is Stage Three requirements will not go into effect until 2015 “Hacking/IT Incident” to increase well past the 29 incidents already reported. Health care organizations spend a lot of money managing identities. Each hospital may issue a flash pass, a proximity card for physical access into certain areas and a one-time-password token for remote access
58
Winter 2012
Health and Human Services recommendations for authentication in health IT systems 1. The Coordinator’s Office should move toward requiring multi-factor authentication – meeting NIST Level of Assurance Three – for remote access to protected health information. Remote access includes the following scenarios: 2. Access from outside of an organization’s private network. 3. Access from an IP address not recognized as part of the organization/entity or that is outside of the organization’s compliance environment. 4. Access across a network any part of which is or could be unsecure, such as the open Internet or an unsecure wireless connection. 5. Organizations, as part of their HIPAA Security risk analysis, should identify any other access environments that may require multiple factors to authenticate an asserted identity. 6. Organizations should continue to vet providers in compliance with HIPAA. 7. Such policies should extend to all clinical users accessing/exchanging data remotely. 8. Technology options for authentication continue to evolve and the Coordinator’s Office should continue to monitor and update policies as appropriate to reflect improved technological capabilities 9. The Coordinator’s Office should work to implement this recommendation and continue to be informed by the National Strategy for Trusted Identities in Cyberspace and aim to establish trust within the health care system. 10. For example, NSTIC also will focus on the capability to pass along key attributes that can be associated with an identity. The capability to pass key attributes – for example, valid professional license – may be critical to facilitating access to data. Source: U.S. Department of Health and Human Services
an event by
PIV-enabling google apps NASA aims for the cloud Andrew Hudson, Contributing Editor, Avisian Publications
NASA and Google are enabling government employees to access networks more conveniently and securely using their agencyissued Personal Identity Verification (PIV) cards. “NASA has been running a pilot with Google Apps for Government for more than a year,” says Tim Baldridge, former NASA ICAM Solutions Architect who presented the pilot at an Interagency Advisory Board meeting. The pilot – open to 600 IT personnel at the agency – enables NASA users to connect to Google Apps for Government using their existing PIV smart card for access to networks and accounts. Incorporating NASA’s user interface – NASA Access Launchpad – the initiative increases authentication security and convenience while taking advantage of the Federal ICAM architecture. “The Launchpad is a customized front-end program that we’ve built around Oracle Open SSO,” explains Baldridge. “The user interface is based on the four mechanisms in place: Windows Desktop single sign on, username and password, RSA token and Level of Assurance 3/PIV.” The pilot configuration is mindful of the stringent conformance demands that can sometimes befall verification initiatives. “Google Apps is a SAML 2.0 capable ‘software as a service’ offering,” says Baldridge. The Access Launchpad uses SAML 2.0 but, he notes, the version recently put into production supports OpenID as well. OpenID is an interest for future consideration for NASA though not currently incorporated in the Google Apps pilot. Baldridge makes it clear
60
Winter 2012
that the pilot initiative is not a final product. “We do not put any sensitive data up on the pilot,” explains Baldridge. “The pilot hasn’t gone through all the FISMA conformance, so everybody knows to treat this as low assurance.”
What does Google offer? The NASA pilot is using four components – documents, sites, groups and contacts – of the Google Apps offering, explains Baldridge. Google Apps also features email and calendar support though NASA has foregone these applications in favor of its own mail and calendar functions based on Microsoft Exchange. The pilot enables verification on a number of levels. The Access Launchpad logon screen will accept username and password, smart card and RSA tokens as credentials, says Baldridge. Access to the service is simple. The user goes to Google Apps, is given a redirect back to NASA’s Launchpad token service and based on the login, an assertion is generated, explains Baldridge. “The Launchpad also has an implementation that includes Windows desktop single sign on,” he adds.
Using PIV With multiple forms of authentication, identifying the type of login as well as the identity associated with it becomes important. Access Launchpad serves a verifier function delineating between authentication technologies used at the time of login. “Whether we’re using a PIV card, PIV-I credential or a credential on a mobile device, we can verify it and make the assertion based on what we’ve verified,” says Baldridge. The system can tell the difference between PIV-I and PIV, a mobile device or thumb drive/
USB based device, says Baldridge. “The idea here is to remain extensible in the architecture where different kinds of form factors can be used according to their levels of assurance.” The pilot, as expected, is a relatively stripped down version of the proposed final product and is only operating on Level of Assurance Two. For Baldridge, the fact that employees can use a one-time password or a PIV is the takeaway.
Simplicity Simplicity is a key factor for the NASA initiative. The system enables an organization to sync massive rosters of credentials with Google in a simple and efficient manner, says Baldridge. “We can take all 96,000 identities at NASA and present them to Google Apps for access if they are authorized,” says Baldridge. “We simply go into Google Apps, provide a spreadsheet of identities for authorization and after literally five minutes of configuration, all these identities are accessible – thru their PIV cards – to Google Apps.” Speed and efficiency are key to any business model and Baldridge suggests that those interested in the bottom line should not discount the NASA/Google initiative. “Five minutes of configurations to turn your application on to 100,000 accounts, that’s a return on your investment,” says Baldridge. “You’re not redoing what you already did – provisioning and managing passwords.”
Cloud: the final frontier The value in using PIV cards in NASA’s new system is that creates a secure application for authentication in the cloud. “All we would need to do to lift up the level of assurance is for the application to say ‘I need an authentication context that is level two or level three,’” Baldridge says. This may seem a simple explanation for a rather
complex solution. However, the results, according to NASA and Baldridge, are substantial. “We can say that the cloud is PIV capable, that is the message – the public statement,” says Baldridge. Using the system is simple as well. NASA has a SAML 2.0 conformant configuration in place for Max.gov, a commonly used government portal. “If you’re logged on to your NASA issued desktop, you can simply click the button without providing password or PIV – it is, in fact, the Windows desktop single sign on of NASA Launchpad.” Baldridge sees this as a convenient, especially when traveling. “When you travel, you don’t have to remember username and passwords.”
The caveat
We simply go into Google Apps, provide a spreadsheet of identities for authorization and after literally five minutes of configuration, all these identities are accessible – thru their PIV cards – to Google Apps.
For all that NASA’s initiative with Google promises, Baldridge was sure to mention one caveat associated with the project. “The Federal SAML 2.0 single sign-on profile had an overly restrictive statement in it where (NIST Special Publication 800-63) actually says you have a secure channel or an encrypted assertion,” explains Baldridge. “But the profile only said encrypted assertion.” “Google doesn’t encrypt the assertion, it only encrypts the channel,” explains Baldridge. “We were trying to fix that language but didn’t quite fix it right so we have another iteration to go through to get that right,” says Baldridge. It’s a fine print issue that does little to take away from the NASA and Google Apps initiative. Using the cloud to provide secure and streamlined employee verification is a key step to enable access anytime, anywhere. Add the fact that it incorporates PIV credentials that are already in the hands of government employees and the solution’s value rises.
Winter 2012
61
SecureKey delivers online authentication with existing IDs
“We want to make the authentication of people over electronic systems convenient and secure,” says Charles Walton, CEO at SecureKey. Founded in 2008, Toronto-based SecureKey is a relative newcomer to the identity market. Its focus is twofold: place secure identity credentials on mobile devices and create identity ecosystems that use credentials consumers already have. One of SecureKey’s first entries into the market was incorporating its security software into Intel’s Management Engine, a secure coprocessor used in the company’s Ultrabooks. After several years of effort, the technology is just now being introduced. The Management Engine acts as a secure reader that interfaces with SecureKey’s cloud-based authentication service, Walton explains. It can be accessed by different applications that require access to the security kernel. Some Intel Ultrabooks have built-in
62
Winter 2012
NFC capability enabling a user to tap a card or NFC handset on the computer to be authenticated. A consumer could make a payment with a contactless card using the technology or the same payment card could be registered and used as an identity token. The system would verify the credential data, authenticate the card as well as the computer and then authorize the transaction. SecureKey demonstrated its technology being used for online payments at the 2012 Intel Developer’s Forum. An
NFC-enabled Ultrabook was used to make a purchase using a contactless credit card. When the card was tapped the required form was auto-filled and the payment transaction processed. The technology can enable other non-payment transactions as well. “The same PayPass card could be tapped and instead of invoking a payment we could login to a home bank account,” Walton says. This ties into one of SecureKey’s main areas of focus – using existing credentials to secure additional types of transactions. This is the type of system that SecureKey is building for the government of Canada, Walton says. The Canadian government has been working to federate identity so citizens can access services online using a strong identity. The first credential providers for the project include BMO Financial Group, TD Bank Group and Scotiabank. SecureKey’s Credential Broker Service enables bank-issued online credentials
to be used for authentication to social benefits agencies, employment benefits and the Canadian IRS. Canadian citizens have a choice of whether or not to use the system. When they visit a government site they can choose to create a new login that is unique for the government site or use their banking information. If they choose the latter they are directed back to the bank site, asked to login and provide required identification information. Once verified, they are able to use the user name and password from their bank for access to the government site. When a user authenticates with their bank, the bank will give SecureKey a non-identifying security token. SecureKey then substitutes the token with a new non-identifying but unique token for the Government of Canada that says the user has been authenticated. The Credential Broker Service is tripleblind meaning no party to the transaction knows who has provided precisely what information, thus ensuring the user’s privacy. SecureKey is simply a broker of anonymous credentials. The Government is responsible for ensuring that it is actually you accessing your information. The bank is responsible for providing a valid security “token” that only you have so that you connect to Government services more securely. Eventually those with contactless payment cards will be able to tap them on laptops or readers in order to gain access to government systems, Walton says. The project is moving in this direction but readers have not yet been deployed.
Federating identity in Canada and around the globe Canada isn’t the only country seeking to enable high assurance credentials for online citizen identity. The UK, Australia
and U.S. all have initiatives underway to help facilitate privacy enhancing, secure identities on the Web. Walton envisions a future where a chip-enabled ID card could be tapped on a computer and used to access government resources, make a purchase or make a doctor’s appointment. “This framework can become a multi-agency, multi-purpose ID,” he says. SecureKey is looking for “anchor points” in different markets from which to build. For example, if a financial institution with an airline partnership signed with SecureKey, the banking credential could also be used for access to the airline web site and rewards program. It could even extend further, serving any of the financial institution or airline partners. Establishing anchor points in addition to having more NFC-enabled devices in the market will make strong authentication easier, Walton says. When SecureKey was started in 2008, its idea to use contactless cards and NFC for login to sites was the same. But laptops with embedded card readers were virtually non-existent. To fill this void, SecureKey developed a USB reader that could create the same experience without an embedded reader, Walton says. The reader looks like a flash drive but serves as a fully functional contactless card reader when plugged into a computer’s USB port. Today, these readers are being rolled out in Canada for use in its identity project. Oftentimes the biggest obstacle to identity projects is credential issuance and identity vetting. SecureKey strives to make use of credentials that already exist and takes advantage of identity vetting processes already in place. Using credentials and systems that consumers already use will go along way to increasing identity security online, concludes Walton.
The reader looks like a flash drive but serves as a fully functional contactless card reader when plugged into a computer’s USB port.
Winter 2012
63
Army Reserve upgrades physical access control Puts PIV to use with an eye toward standard’s revisions Jill Jaracz, Contributing Editor, Avisian Publications
The mandate to achieve FIPS 201 compliance means that many government departments and agencies must upgrade their access control systems. In 2012, the U.S. Army Reserve Control (USARC) achieved their upgrade with the help of Monitor Dynamics’ FICAM Platform. Before the upgrade, the Army Reserve relied on proximity and magnetic stripe technologies. This is what most Department of Defense and civilian U.S. federal government agencies still use, says Mike Garcia, vice president of marketing and business development at Monitor Dynamics. “HSPD-12 and FIPS 201 have been around for seven and five years respectively, and while we have a great number of the high assurance ‘keys’ deployed, we have not seen the same uptick in physical access systems or ‘locks.’ The Defense Department with its physical access control requirements and now the entire federal government with OMB M-11-11 has created a compliance mandate for high-assurance locks – or physical access control systems – and we are beginning to see a huge increase in demand for compliant locks,” says Garcia. Finding FIPS 201 compliant systems is actually one of the challenges in complying with the mandate. The standard defines the credential and various component parts but it does not define the overall physical access control system. To answer that question, the Army Reserve started with future proofing in mind, Garcia says. They sought FIPS 201-2 compliance considering
Finding FIPS 201 compliant systems is actually one of the challenges in complying with the mandate
64
Winter 2012
potential modifications to the existing standard in their choice of access control systems. The Army Reserve opted for a system that could comply with government mandates requiring electronic validation of PIV credentials and also could meet future standards. To that end, the Army Reserve chose Monitor Dynamics’ Trusted FICAM Platform. “The command and control center software manages everything in the field globally,” says Garcia. “From the head-end of the physical access control system, which is usually located at the headquarters on the main server, you have administrator privileges and rights to control the rest of the field hardware, computers and other devices.” The system enables the Army Reserve to use Defense Department-issued Common Access Cards for logical and physical access control in a unified system delivering PKI at the reader, says Garcia. The multi-factor authentication requirements of the system make it impossible for anyone other than the cardholder to gain access. This prevents security breaches due to lost, stolen, manipulated, invalid, copied and revoked cards or cards that have no trusted path, says Garcia. The Army Reserve can provision PIV and PIV-I cards from other issuers into their physical access control system, says Garcia. “One of the biggest problems in physical access control system is
The entire authentication and validation process takes 2.5 to 3 seconds on the FICAM system, including the time needed to enter a PIN
visitor management. The ability to understand that an individual is who they claim to be and they are still employed is a quantum leap in security over current conditions,” says Garcia. “The access privileges to the building are still granted and managed locally, but it is with a higher assurance.” The Army Reserve granted contracts on a facility-by-facility basis. During the past two years, Monitor Dynamics has been installing systems in locations across the nation. To date, the Trusted FICAM Platform has been implemented in more than 40 locations. Upon implementation, the Army Reserve then works with CertiPath to perform a site certification based on CertiPath’s checklist and testing methodology. CertiPath conducts the system level testing on the Trusted FICAM Platform by taking the PIV/PIV-I capable components and testing them as a complete system against FICAM controls encompassing both security and usability. CertiPath tests the head end server, validation client, secure controller, physical access control panels and card readers at the door using both external cards and CertiPath’s proprietary threat-specific cards. To use the system, a person presents a Common Access Card, PIV or PIV-I- smart card to a two-factor or three-factor FIPS 201 approved reader at the door. The user then inputs a PIN and/or scans an index finger. The system checks the various factors against the credential and the information on the card’s chip. If one factor doesn’t match, the person is denied entry at the door. If the factors do match, the system verifies the person against the revocation list.
If the Certificate Authority deems the digital certification the card to be invalid, be it expired, lost, stolen or fake, it’s denied. If it’s a valid match, the Certificate Authority sends it on to the physical access control systems head-end to make the entry and exit decision at the door. The entire authentication and validation process takes 2.5 to 3 seconds on the FICAM system, including the time needed to enter a PIN, says Garcia. Getting users used to the new system was a bit of a challenge for some. Army Reserve personnel also had to get used to employing two and three factors for authentication. Having to learn this new process and remember a PIN proved to be a complicated adjustment for some who had been using the prior system for many years, says Garcia. System administrators also had to get used to a new enrollment system with FICAM. The learning curve can cause a bottleneck in the short term but becomes easier over time, says Garcia. Likewise, a more complicated badge means a more involved badging system. In the old system, administrators could take a picture, issue a badge and hand it to the person. FIPS 201 has more security requirements that administrators must abide by when issuing badges, says Garcia. “These challenges can all be addressed with training and repetition,” says Garcia. “And when compared to prior systems that run two wires to a reader and enroll a proximity card, the benefits and security are much greater.”
Winter 2012
65
NFC-enabling voter registration Rock the Vote goes high-tech for 2012 elections The November election is a recent memory but before ballots were cast, Rock the Vote added another technology to its bag of tricks to inform young people of their voting rights and help them register to vote.
The latest “We Will” campaign used NFC technology to enable citizens to begin the voter registration process and in some cases even register to vote, says
66
Winter 2012
Mikhail Damiani, CEO and co-founder of Blue Bite. It was anticipated that recent legislation requiring voters to present government issued ID at the poll would made it harder for young people to vote in 20 states. The “We Will” campaign aimed to educate young people about these changes and reminded them of their collective power. This year, the Rock the Vote organization invested in its largest traditional and digital out-of-home campaign, incorporating billboards, phone kiosks, wild postings, taxi tops, college shuttle buses and digital screens in highvisibility areas. It also included NFClayered bus shelters for the first time. The campaign combined messages with photography and graphics and included NFC interactivity from Blue Bite, a mobile marketing company specializing in location-based campaigns. On Oct. 1, it rolled out nationally with QR codes and in New York City and Mi-
ami with the NFC tags, Damiani says. Individuals with NFC phones were able to tap their handset on a tag to be directed to a Web site to fill out voter registration forms. The QR codes performed the same function when NFC was not available. In states where voters can register online the forms were directly submitted to the state, Damiani says. In other cases individuals were encouraged to fill out the forms, email them and print out later for submission. As of press time statistics on the campaign were not available, but overall use of NFC in these types of advertising campaign is picking up, Damiani says. Blue Bite has produced many campaigns that enable a user to tap an NFC tag for access to content or to download an application. Damiani says the number of consumers using NFC compared to QR codes has increased dramatically. “A year ago NFC was one out of every 10 impressions but now it’s one of every four,” he says.