Smart Card Talk, January Issue by Secure Technology Alliance

Smart Card Talk January 2013

•

a Smart Card Alliance ePublication

Dear Members and Friends of the Alliance, This month we are pleased to unveil a slimmed-down version of Smart Card Talk, our monthly e-newsletter that you receive as a subscriber to this publication. This new, streamlined format will allow you to easily locate, and enjoy, the most widely-read portions of the newsletter, including our Monthly Profile, Feature Article and Council updates. For other news, including Members in the News, Alliance in the News and other tips formerly found in Smart Card Talk, I invite you to read our Monthly Member Bulletin, which is available to Alliance members on the members-only section of our website. If you are an Alliance member but don’t receive the Bulletin, please send an email and you’ll be added to our list. Smart Card Talk features news and information that have shown to be most valuable to you. I encourage you to visit the Smart Card Talk archives to read past issues of the monthly e-newsletter and profiles, feature articles and industry news that you might have missed. Thank you for your support, and we look forward to continuing to provide you with the leading news on the impact and value of smart cards in the United States and Latin America.

• Volume 18 : Issue 1

In This Issue: ② Executive Director Letter >> ③ Latin America Letter >> ④ Member Profile >> ⑥ Feature Article >> ⑩ Council Reports >>

On the Web: Members in the News >> Alliance in the News >>

Sincerely, Randy Vanderhoof Executive Director, Smart Card Alliance

Event Calendar

Click Here to Read Letter ...

EMV Migration Forum

February 4, 2013 In conjunction with 2013 Payments Summit Salt Lake City, UT

Feature Article: Strong Authentication Using Smart Cards for Logical Access

Member Profile: IDmachines

Threats to sensitive data, regulatory mandates, and moves to more public cloudbased IT systems have global organizations seeking new ways to strongly authenticate identities prior to granting access to computer networks, systems and applications. This month’s article explains the role of smart card technology in filling organizations’ needs for strong authentication.

Click to Read More …

The 6th Annual Conference 2013 Payments Summit February 5-7, 2013 Grand America Hotel Salt Lake City

NFC Solutions Summit May 15-16, 2013 San Francisco, CA

executive director’s corner

Industry Thoughts For The Year Dear Members and Friends of the Alliance, It is time for my annual look into what the future might bring to the payments and mobile markets. I LOL’d myself (that’s Laugh out Loud for those who don’t have teenagers) when I looked back on my letter from last year and saw which of my predictions did come true, which ones didn’t, and what did happen that wasn’t on my radar screen. A year ago, we were still anticipating what MasterCard would announce regarding its EMV roadmap for the U.S. market. We had been waiting nearly 6 months since Visa made their bold EMV announcement in August 2011, and there was a lot of uncertainty whether MasterCard would jump into the deep end of the EMV migration pool, or keep dipping its toes in the water. MasterCard did not disappoint, and in fact they upped the ante even more by leading their issuers and processors to consider both online and offline EMV, and chip & pin or chip & signature, and maintained the same timelines for the conversion to full EMV that Visa had proposed despite Visa’s 6 month head start. This was the signal that issuers, merchants and processors were waiting for and within a few months of MasterCard’s announcement, Discover and American Express announced similar EMV migration strategies. Seemingly overnight, the oversized, over complicated, overly costly to convert to EMV U.S. payments market went from “Are we going to adopt EMV?” to “How are we going to adopt EMV?” The other chuckle I got was my preoccupation last January with whether Apple’s decision to include NFC in the next Apple iPhone 5 was going to be the savior or the demise of NFC in America. As it turned out, it did neither. The IPhone 5 did not come with NFC and after the shock wore off, nobody seemed to care. Sure, the iPhone garners 40% of the smart phone market but Android-based smart phones were plentiful already and nobody still had any place to use NFC. Isis’s big launch was delayed until late summer and Google Wallet went through a retooling for most of the year so there weren’t any NFC wallets available anyway. Apple doesn’t make many mistakes so they obviously knew that the demand for an NFC-enabled phone could wait another cycle (or two). As for the most surprising thing in 2012 that I never saw coming – that has to be the broad cross-industry support of the new EMV Migration Forum, the organization started by the Smart Card Alliance in August as a separate, EMV migration-focused organization, that went from concept to launch in less than 90 days. Within 5 months the Forum had signed up over 100 member organizations and had over 300 individuals participating in four working committees eagerly tackling the most challenging issues facing the U.S. payments market. The Forum has attracted senior level executives and technical experts from the payments brands, 2

Smart Card Talk

issuers, merchants, processors, acquirers, regional networks, consultants, integrators, and industry suppliers – all with a common mission to coordinate the timeliest, most efficient, and cost-effective way to migrate the complex, diverse U.S. payments market to EMV. Equally surprising, none of this attention on EMV has taken any momentum away from the Smart Card Alliance. In fact, membership has grown steadily in the Alliance while many of our member organizations have chosen to also become members of the EMV Migration Forum. Leveraging the breadth and depth of knowledge from industry leaders that continues to keep the Alliance strong and now strengthens the EMV Migration Forum, coupled with the new energy and thirst for information from merchants, financial issuers, processors, and integrators who have joined to mix, have created a powerful force for change that will help shape the face of the U.S. market for the next few years. What lies ahead for 2013? There are a few interesting things on the horizon. I believe that the mobile phone is going to be at the center of many of the major developments in the market. Sadly, I think the least of such developments is going to involve NFC wallets, which will need another year of incubation and coddling before they find their stride. This next generation of mobile devices in 2013 will be faster, cheaper, and more secure than the current versions. Mobile wallets will get better and more open for other applications beyond payments, such as identity tokens, consumer offers, and peer-to-peer exchanges of pictures and music, as well as social media exchanges. Also, I think the continued expansion of 2D barcode and QR code applications will expose consumers to new ways to connect to the cloud and to favor applications that will create the rails for NFC-enabled readers and data tags to replace scanners and printed codes. I predict there will be more than just talk about mobile health applications and mobile transit ticketing and parking in the next year. Large, well-funded enterprises like PayPal and Square will get stronger. MCX will fade away or morph into something completely different than the alternative merchant-led mobile payments processing network announced in 2012. And at the end of the year, I will look back on many of these predictions and “LOL” again for not seeing what was seemingly right in front of my eyes. It is the unpredictability and excitement in our industry that make this job so enjoyable. Lastly, don’t miss the 2013 Payments Summit Conference, February 5-7 in Salt Lake City – and bring your skis! Sincerely,

Randy Vanderhoof Executive Director, Smart Card Alliance rvanderhoof@smartcardalliance.org

Dear Members and Friends of the Smart Card Alliance Latin America & the Caribbean, As we start this exciting New Year with its challenges and opportunities, there are a few items to share concerning activities we are working on to improve the access to information on smart card technology to SCALA members. As the year moves on, these activities, deliverables, and strategies will be formally unveiled, but this is a good opportunity to give you an overview of what you can expect from SCALA, and to encourage each of you to become involved.

series of White Papers, “Mobile Devices and Identity Applications” in Spanish on the new SCALA website. Finally, I’d like to mention that SCALA is featured on the cover of the December/January edition of PaymentMedia. The focus of this edition is on the important role our organization plays in the Latin American and Caribbean markets to provide impartial information, develop strategic alliances, educate the market, and present a united front for the industry. To view this edition in electronic format visit www.paymentmedia.com I encourage all of you to get involved in our organization and our activities, and to provide us with your feedbacks on any of the content being presented. I wish all of you a wonderful and successful beginning of 2013.

A positive change for SCALA that we expect to make life easier for both members and friends of the chapter is our new web address: www.sca-la.org. This is a shorter and simpler web address that will help draw more readers to our site to access information, as well as search for valuable content related to the region.

Sincerely,

In 2013 we will also expand the scope of our EMV Tour conferences. The EMV Tour conferences will contain new content and be geared to additional regional markets to allow for greater exchanges of information. Our next conference event, co-organized with PaymentMedia, will be held March 20 at the Hilton Hotel in Puerto Madero, Argentina. The EMV Tour – Cono Sur will offer content specifically focused on the markets for Argentina, Paraguay, and Uruguay. For more information visit www.emvtour.com

Edgar Betts Associate Director, Smart Card Alliance Latin America (SCALA) Direct Line: +507-225-9089, email: ebetts@smartcardalliance.org

In addition to our efforts to promote EMV Migration and Payments Evolution in Latin America, our SCALA team is taking the opportunity of meeting with the newly elected government of Mexico to coordinate our next Government Information Exchange mission. The new Mexican government will have the responsibility for the deployment of many smart card related identity projects such as e-passport, national ID, government ID, driver’s licenses, and healthcare ID. SCALA has decided to partner with the U.S. Commercial Services for this Government Information Exchange mission to Mexico, which is scheduled for May 29th, 2013. We have also set forth an ambitious plan of expanding the availability of impartial content in Spanish and Portuguese. Our team has identified a series of white papers and industry reports to be modified, translated, or developed for the Latin American and Caribbean markets. This month we will be publishing the first of a

Smart Card Talk

latin america corner

Happy and Productive New Year

member profile

control to distributed credential validation and authorization to IDmachines today. Besides our subject matter expertise and related consulting services, IDmachines has developed an opensource-based toolset to help end-users, system integrators and original device manufactures create, deliver and maintain solutions that incorporate best practices around identity, credentialing and access management (ICAM). To a great extent the lessons learned in providing automated quality control solutions to high volume and high accuracy manufacturing has been applied to the access control and security context. Security is a quality problem where there is a need to maintain the throughput and quality of the good while identifying and rejecting the bad. Finding a way to make this decision objective, automated and consistent while meeting business goals applies across the use cases.

2. What role does smart card technology play in supporting your business?

This month Smart Card Talk spoke with Salvatore D’Agostino, CEO of IDmachines LLC, a Boston-based consulting practice focused around identity (people and things), credentialing, access control, security and automation. A graduate of Harvard University, D’Agostino holds a patent in System and Method for Managing Advertisement and Information Displays on Vehicles Based on an E-Commerce Site, is CSCIP-certified, and was recognized in 2012 by the Smart Card Alliance as both a Top Contributor and Honor Roll member of the Access Control Council and Identity Council. This recognition is given to individual contributors of the Smart Card Alliance Industry Councils who demonstrated council leadership, project leadership project participation and meeting participation from April 2011 through March 2012.

1.What is IDmachines’ main business profile and offerings? IDmachines continues an arc of work over the last 30 years that has moved from technology assessment to machine intelligence to its application in industrial automation to a focus on machine vision (video analytics) for security and manufacturing quality

Smart Card Talk

I appreciate the fact that you refer to this as smart card technology. Too often people get stuck on the form factor and fail to realize that smart card technology is put into over 5 billion devices a year, a great many of which are mobile devices. Much of IDmachines’ business involves ICAM in industry where governance, risk management and compliance (GRC) are major business drivers. Smart card technology provides a means of providing strong authentication, strongly bound to an individual or device at the highest possible levels of assurance, which is a need across our customer base. Smart card technology provides a platform to deliver standardsbased and interoperable solutions that we strongly associate with the value our services and tools can deliver. While it is not the only identification, credential and authentication technology we deploy, it provides a very important part of the solutions our clients are looking to provide or use.

3. What trends do you see developing in the market that you hope to capitalize on? The desire to consolidate the number of authentication tokens, bring your own device (BYOD), service-based solutions (aka “Cloud”) and the drive toward standards in the physical security world all are having a positive impact on our business. All of these trends benefit from a strong identity program that incorporates best practices for registration, issuance and use. In fact none of these are possible without a strong enterprise, agency or government identity program. Given the fact that a strong identity program necessarily includes business, legal and technical (BLT) requirements, organizations need a polyglot on their team. IDmachines prides itself on being able to speak these multiple languages and to serve our customers in bridging these areas. We

post a blog each year on the trends for the coming year as part of our strategic planning. We don’t really hope to capitalize on this we have a business that has grown based on our understanding of these trends every year.

4. What obstacles to growth do you see that must be overcome to capitalize on these opportunities? As a small and growing business, maintaining focus is our biggest challenge. We have to stick to our particular subject matter expertise and where it can be best leveraged. This is why we have invested in developing toolsets to help deliver our services. The good news is that these tools are really useful and widely applicable; the tricky part is developing them while continuing to meet the needs of our customers and evolving them so that they may used by others. It is not so much an obstacle as it is a matter of balance. Ongoing education is more a challenge and opportunity than obstacle, but it’s an important part of leveraging opportunities. Apart from IDmachines, we see quite a lot of situations in which organizations get into standards-based interoperable smart card technology but don’t necessarily have the commitment or make the investment it takes to achieve the objectives. It is important that people understand that identity is a 21st century utility and that the development of a utility such as the electric grid, telephone, cable, fiber and other networks necessarily has a significant upfront investment. Once the infrastructure is in place then it can be leveraged, but this takes place over years.

5. What do you see are the key factors driving smart card technology in government and commercial markets in the U.S.? In some sense I just touched on this in the sense that the acronyms -- ICAM, GRC, BYOD, XaaS -- are all pushing the need for strong interoperable identity credentials. These need to continue to be related to key business drivers; they need to be able to be shown to address a growing identity and fraud problem; and they need to be shown to be relevant today. Unfortunately government and critical infrastructure organizations are targeted every day by a range of adversaries running the gamut from casual hacker, to criminal to terrorist. Fortunately a strong identity program and smart card technology can help.

I also think that too much emphasis has been placed on mandates as the way things get done. Presidential and Office of Management and Budget directives can help to establish standards, programs and policy and play an important role, but they are not sufficient

to accelerate use. In order for this to take place you have to get back to business drivers. As someone who was involved from the early days in credentialing first responders, it became very obvious that all of the enterprise and, even better, personal use cases need to be put into play in order to justify the investment. The industry knows that ease of use for both end users and developers will trump security concerns in most cases; it needs to remind itself of this. Building on these lessons will be key drivers.

6. How do you see your involvement in the Alliance and the industry councils helping your company? IDmachines is very careful in choosing which organizations to join and where we invest our time. We see our involvement in the Alliance as an active one in which we can also act in a leadership role. I have served as Secretary of the Identity and Access Control Councils for the last couple of years. The councils provide a place where industry and end users can work together to identify and, through education, address needs in the market place. In doing so, a learning process takes place that incorporates the knowledge of all involved in the councils. The ability to continue to learn and evolve personally and as a business is crucial to success.

7. What are some of the challenges you see confronting the smart card technology industry? One of the major challenges confronting the industry is the ability to evolve with the way people use identity credentials -- in particular, the need to provide solutions that are both RESTful as well as provide strong identity and authentication. We worked this summer on a project at the MIT Media Lab where we used a smart card/mobile device as a carrier for an OAuth token since digital certificates are not always a viable solution. Blending these solutions expands the use cases supported, strengthens the return on investment and provides a way to take the best of technology sets. Smart card technology needs to make privacy a primary part of its vernacular; it’s a benefit of the technology that is often underemphasized.

Member point of contact Salvatore D’Agostino CEO, IDmachines LLC sal@idmachines.com

Smart Card Talk

feature article

Strong Authentication Using Smart Cards for Logical Access Where minimal security is required (such as on a home computer that is not connected to the Internet), a simple logon name may be sufficient. Requiring authentication, such as a personal identification number (PIN) or password, adds a level of protection. This combination provides minimal authentication and can be supplemented or replaced by requiring other authentication tokens, such as digital certificates, hardware-based authentication tokens, or biometric data.

Smart card technology has advanced over the last 30 years: storage and processing capabilities are improved, security has been enhanced, the management software has matured, contactless technologies are available, and multiple applications can now be integrated on a card. Smart cards now support a variety of the logical access applications used by organizations, including network logon, one-time passwords (OTPs), virtual private network (VPN) authentication, e-mail and data encryption, digital signatures, enterprise single sign-on, secure wireless network logon, and biometric authentication. Today, smart cards can play an essential role in the security backbone of an organization’s identity management architecture, supporting the strong authentication required to validate individuals accessing networked resources and providing a critical first step in protecting against intruders.

Authentication Overview In general, authentication is the process by which something is shown to be genuine. In this article, the term is applied to the identity of a person (though it can also be extended to things) and, by extension, to the items used to prove that identity to an electronic system, such as background documents, user namepassword combinations, smart cards, or biometric data. The authentication method used and the extent to which it is applied depends on the subject being examined. For example, different measures are employed to authenticate a $1 bill as opposed to a bill of a much higher denomination. Similarly, a different method is used to authenticate someone who is requesting access to a product technical support web site as opposed to someone accessing secure government or military networks.

The strength of any authentication process depends on both the quality and diversity of its constituent parts. To build greater integrity into a solution, the authentication methods should employ complementary mechanisms. Historically, these mechanisms have included something a person knows (a password), possesses (an object), or is inherent to their physiology or behavior (a biometric factor).1 The concepts of uniqueness and secrecy are very important in this context. Although location data and knowledge-based authentication can limit the potential for fraud within a system, as currently implemented they provide only a limited degree of uniqueness and secrecy, respectively.

What Is Strong Authentication? Strong authentication currently has no precise definition; it is not a strictly mathematical concept with purely quantitative measurements, but rather a qualitative measure with a relative scale. For example, the government’s Personal Identity Verification (PIV) smart card program outlines the following levels of authentication assurance: • Some confidence: a basic degree of assurance in the identity of the cardholder • High confidence: a strong degree of assurance in the identity of the cardholder • Very high confidence: a very strong degree of assurance in the identity of the cardholder.2 “Strong” generally means better than what has traditionally been acceptable. For electronic systems, strong authentication goes beyond the typical user name-password combination and other simple, single-factor authentication methods. “Strong authentication” provides a higher level of confidence in the identity of the individual. Measuring authentication strength typically means dealing with multiple considerations that combine to yield an overall measurement. These considerations include: • The number of factors employed in the authentication method • The number of tokens for each factor

1 Commonly referred to as “something you know, something you have, something you are.” 2 National Institute of Standards and Technology, Personal Identity Verification (PIV) of Federal Employees and Contractors, FIPS PUB 201-1, March 2006. 6

Smart Card Talk

• The strength of each token (i.e., whether the identity credential or authentication tokens used can be compromised or circumvented) The number of factors employed is an important consideration. Additional factors significantly improve the overall strength of authentication. Strength is also a function of the strength of the individual factors employed. A PIN, a password, or your mother’s maiden name each has different actual (and sometimes perceived) strength. For example, a typical 4-digit PIN is considered to be weaker than an 8-character password that uses upper- and lowercase letters. One reason is because the two tokens have different lengths. Another reason is that the two tokens have a different number of possible permutations (i.e., for the PIN, the number of permutations is 104 with 4 digits of 0-9, as opposed to a password with just 8 lower- and uppercase letters, for which the number of permutations is 528). The password is substantially stronger than a numeric PIN: the chances of guessing the PIN are 1 in 10,000 chances, as opposed to 1 in 53,459,728,531,456 chances of guessing the password. Other examples are less clear: in requiring your mother’s maiden name as opposed to your favorite dog’s name, the length of the names is a factor that yields equivalent strength, as do the uniqueness or obscurity of the name. Those measures are much more difficult to quantify; hence, the non-absolute determination of overall strength for some factors. The use of cryptography in strong authentication should be based on sound cryptographic principles and use of keys of appropriate strength. Finally, an authentication method is typically considered to be strong if the following are true: • At least two of the three authentication factors are used. • The cost, computing power, and time required by a determined attacker to attack an authentication token exceeds the value of compromising the token and the related asset. • The identity vetting and proofing requirements applied when issuing the identity credential can reasonably assert that electronic Alice is, in fact, Alice.

Smart Cards and Strong Authentication Smart cards can significantly increase the security of a person’s identity credentials. The credentials can be permanently stored on the card, which is in the person’s possession. In addition, sophisticated attacks on smart cards are time-consuming and expensive, and the attacker must have physical possession of the card. If a person’s smart card is missing, it is likely that the person will report it, and the card can be revoked and re-provisioned before an attack can succeed. When credentials are stored on someone’s computer, that person may never know that they have been stolen. Authentication Factors Enabled by Smart Cards. Smart cards are typically used to enable two-factor authentication, incorporating something you have (the smart card) and something you know

(typically a PIN that activates the card’s cryptographic functions). Taking control of a person’s digital identity requires both stealing the smart card and guessing the PIN. Cardholders know very quickly when a card is stolen and can contact an authority to report the stolen credentials. In addition, too many incorrect PIN guesses can lock the card. Smart card technology also supports the addition of biometric tokens (something you are), enabling three-factor authentication. As an alternative, the biometric can replace the PIN, which strengthens security while increasing convenience. Adding biometric authentication to an access control solution is easy, because the smart card can store the cardholder’s biometric template and perform the processing required to check for a match. No back-end database is required. Storing the credentials for accessing an application securely on a smart card, protected by the cardholder’s biometric data, provides an organization with biometric security without having to involve back-end applications. Form Factors. Smart card technology is available in multiple form factors: a plastic card (with contact or contactless communication capabilities, or both, and optionally a display and keypad), a USB device, or a secure element (SE) that can be embedded in a mobile (or other) device. Each implementation incorporates a computer chip that can carry a microcontroller, crypto-coprocessor, memory, operating system, and application software. Microcontrollerbased smart cards are designed to resist attack using a variety of countermeasures built into the chip by the manufacturer, making it less likely that data stored on the smart card will be exposed, stolen, modified, or destroyed. Mobile devices, especially smartphones, offer multiple opportunities for implementing smart card technology. An SE can be embedded directly in the device or held on the universal integrated circuit card (UICC), also known as the subscriber identity module (SIM). Many phones have the ability to read microSD cards, which constitute another possible form factor. The evolution of Near Field Communication (NFC) technology within the mobile sphere has sparked considerable interest in using smartphones in authentication processes. Regardless of form factor, smart cards can be used to implement any of the authentication techniques described in this white paper.

Advantages of Smart Cards Smart cards offer the following advantages: • Secure password file storage • Ability to generate asymmetric key pairs and store PKI certificates securely • Secure symmetric key storage • Secure OTP seed storage • Secure biometric template storage

Smart Card Talk

Table 1 describes how the use of smart card technology can add value to any authentication solution. In summary, using smart cards can provide the following advantages: • Support for multiple applications and sets of application data on the card

• Support for cryptographic authentication tokens and use of digital signatures for strong audit functions • Support for multiple types of authentication tokens, providing redundant features for identity authentication and security for the identity information and identity authentication process • Support for offline authentication processes • Secure storage of biometrics and other credentials (e.g., PINs)

Table 1. Value Added to Authentication by Using Smart Card Technology Authentication Mechanism

Issue

Value Added by Smart Card Technology

Single-Factor Authentication Static passwords

• Easy to guess, sniff, or steal • Difficult to enforce strong password policies • User frustration and resistance to changing and memorizing passwords • Cost to manage

A smart card system provides a secure container for passwords and automates the user’s logon, relieving the user of the requirement to manage passwords. Strong password policies are easy to enforce.

Passive or active device without a PIN

• Device loss or theft

A smart card system provides security for the device seed and also adds PIN-based access to the card, implementing two-factor strong authentication.

Biometric

• • • •

A smart card system provides secure storage for the biometric template, performs the biometric match on the card (enabling an offline authentication process), and adds PIN-based access to the card, implementing three-factor authentication.

One-time password device with PIN

• • • • •

Replay attack Masquerade attack Biometric credential and matching security Online database connectivity requirement (unless used with smart card) • Theft of database – biometrics cannot be revoked Two-Factor Authentication Complex infrastructure Man-in-the-middle attack Single function product OTP seed protection Token life-cycle cost

A smart card system replaces a single-function device with multi-function capability (securing application and network access) and reduces overall complexity and life-cycle cost. Smart card investment can be leveraged by using the card as a smart ID badge for secure building access. Smart cards are programmable. Cards can be reused easily, supporting a more cost-effective approach to issuing temporary access cards. New smart card functions can be added after issuance, supporting upgrades to systems or new applications

Biometric and password

• • • •

Complex back-end infrastructure Credential security Online database connectivity requirement Theft of database – biometrics cannot be revoked

A smart card system provides secure storage for the biometric template and performs the biometric match on the card (enabling an offline authentication process).

Three-Factor Authentication Device, biometric, PIN

Smart Card Talk

• • • •

Credential security, whether on a server or workstation Complex infrastructure Online database connectivity requirement Theft of database – biometrics cannot be revoked

A smart card system provides the least complex mechanism for three-factor authentication when integrated with biometric match-oncard capability. There is no requirement for connection to a database.

Conclusions Organizations globally are moving to strong authentication solutions for authenticating identities prior to granting access to computer networks, systems and applications. Factors driving this move include changes in the IT infrastructure (e.g., cloud-based computing that provides increased public exposure), requirements to protect systems and information from increasingly sophisticated attacks, and regulatory mandates for securing information and protecting employee, patient and consumer privacy. The identity assurance process consists of multiple steps. An individual must prove their identity; a credential is issued; the credential asserts proof of identity for authentication. Multiple authentication factors are used with a variety of authentication tokens. Strong authentication is not precisely defined, but is a qualitative measure with a relative scale. Strong authentication for logical access means going beyond the typical user name-password combination and simple single-factor approaches. The strength of â&#x20AC;&#x153;strongâ&#x20AC;? authentication depends on the number of factors employed, the strength of each token, and the potential that the authentication token was compromised or circumvented. Smart card technology provides an excellent platform for implementing strong authentication. Smart cards securely support all of the authentication tokens, storing password files, PKI certificates, one-time password seed files, and biometric image templates, as well as generating asymmetric key pairs. A smart card used in combination with one or more authentication tokens provides stronger multi-factor authentication and significantly strengthens logical access security. Smart card technology also provides the flexibility for including all authentication tokens in a single smart card, improving the security and privacy of the overall authentication process. A single smart card can be used for authentication for both physical and logical access.

About this Article This article is an extract from the Smart Card Alliance Access Control Council white paper, Strong Authentication Using Smart Card Technology for Logical Access, which discusses the benefits of using smart card technology for strong authentication for logical access. Participants involved in the development of this document included: AMAG Technology; Consult Hyperion; Damalas LLC; Marty Frary; Gemalto; GSA; HID Global; HP Enterprise Services; Identification Technology Partners; Identive Group; IDmachines; IQ Devices; LaChelle LeVan; NagraID Security; NXP Semiconductors; Oberthur Technologies; Roehr Consulting; SAIC; U.S. Department of Defense/Defense Manpower Data Center; U.S. Department of State.

About the Access Control Council The Smart Card Alliance Access Control Council is focused on accelerating the widespread acceptance, use, and application of smart card technology for physical and logical access control. The group brings together, in an open forum, leading users and technologists from both the public and private sectors and works on activities that are important to the access control community and that will help expand smart card technology adoption in this important market.

In addition, smart cards can support a variety of applications used by organizations, including Windows logon, password management, one-time passwords (OTP), VPN authentication, e-mail and data encryption, electronic signatures, enterprise single sign-on, secure wireless network logon, biometric authentication, personal data storage, role-based access, and secure physical access. Today, smart cards are essential to the security backbone of an organizationâ&#x20AC;&#x2122;s identity management system, supporting the strong authentication required to validate individuals accessing networked resources.

Smart Card Talk

council reports

Updates from the Alliance Industry Councils Access Control • The Access Control Council published a new white paper, Strong Authentication Using Smart Card Technology for Logical Access, which discusses the benefits of using smart card technology for strong authentication for logical access. Access Control Council members involved in the development of this white paper included: AMAG Technology; Consult Hyperion; Damalas LLC; Marty Frary; Gemalto; GSA; HID Global; HP Enterprise Services; Identification Technology Partners; Identive Group; IDmachines; IQ Devices; LaChelle LeVan; NagraID Security; NXP Semiconductors; Oberthur Technologies; Roehr Consulting; SAIC; U.S. Department of Defense/Defense Manpower Data Center; U.S. Department of State. • The Council elected its 2013/2014 officers and Steering Committee. New officers are: Chair – Lars Suneborn, Identive; Vice Chair – Lolie Kull, HP Enterprise Services; Secretary – Sal D’Agostino, IDmachines. The newly-elected Steering Committee includes: Dave Adams, HID Global; Salvatore D’Agostino, IDmachines; Tony Damalas, Damalas LLC; Michel Escalant, Gemalto; Frazier Evans, Booz Allen Hamilton; Walter Hamilton, Identification Technology Partners; Kevin Kozlowski, XTec, Inc.; Andy Kuchel, Quantum Secure Inc.; Lolie Kull, HP Enterprise Services; Roger Roehr, Roehr Consulting; Steve Rogers, IQ Devices; Jason Rosen, NASA; Adam Shane, AMAG Technology; Mike Sulak, Department of State; Lars Suneborn, Identive Group; Mike Zercher, NXP Semiconductors. • The Council has established its 2013 priorities, including: providing input through the EPTWG to the GSA on the changes being made to the FIPS 201 Evaluation Program; providing input to NIST on FIPS 201-2 related publications; and providing recommendations and guidance on derived credentials.

Smart Card Talk

Healthcare • The Healthcare Council developed and submitted an industry letter to Dr. Farzad Mostashari, National Coordinator for Health Information Technology, Office of the National Coordinator for Health Information Technology, recommending that Level of Assurance 4 be included in the Meaningful Use Stage 3 Requirements. • The Council elected its 2013/2014 officers and Steering Committee. New officers are: Chair – Michael Magrath, Gemalto; Vice Chair – David Batchelor, LifeMed ID, Inc.; Secretary – Hugh Gilenson, ABnote Group. The newly-elected Steering Committee includes: David Batchelor, LifeMed ID, Inc.; Anna Fernezian, CSC; Hugh Gilenson, ABnote Group; Michael Magrath, Gemalto; Matthew Neuman, Giesecke & Devrient; Jim Zalnasky, Oberthur Technologies. • The Council is now developing its 2013 plan.

Identity • The Identity Council elected its 2013/2014 officers and Steering Committee. New officers are: Chair – Bryan Ichikawa, Deloitte & Touche LLP; Vice Chair – Neville Pattinson, Gemalto; Secretary – Sal D’Agostino, IDmachines. The newly-elected Steering Committee includes: Salvatore D’Agostino, IDmachines; Frazier Evans, Booz Allen Hamilton; Chris Gardner, SecureKey Technologies; Bryan Ichikawa, Deloitte & Touche LLP; Don Malloy, NagraID Security; Neville Pattinson, Gemalto; Steve Rogers, IQ Devices; Chris Williams, SAIC • The Council is currently working on two projects: a crosscouncil project on mobile devices and PIV credentials; a white paper on smart card technology and NSTIC.

Mobile and NFC • The Mobile and NFC Council was invited by the Mobey Forum to provide comments on a planned paper defining key terms in the mobile financial services industry. The Council collaborated with the NFC Forum and submitted comments on the draft document. • The Council is currently defining a project to provide educational resources on security options for mobile/NFC applications and developing its 2013 plan.

Payments • The Council elected its 2013/2014 officers and Steering Committee. New officers are: Co-Chairs – Jack Jania, Gemalto, and Oliver Manahan, MasterCard Worldwide; Vice Chair – Troy Bernard, Discover Financial Services; Secretary – Deborah Baxley, Capgemini. The newly-elected Steering Committee includes: Philip Andreae, Accenture LLP; Deborah Baxley, Capgemini; Deana Cook, Chase Card Services; Jose Correa, NXP Semiconductors; Troy Bernard, Discover Financial Services; Terry Dooley, SHAZAM; Michael English, Heartland Payment Systems; Pamela Flakowitz, American Express; Greg Garback, WMATA; Simon Hurry, Visa, Inc.; Jack Jania, Gemalto; Bastian Knoppers, FIS; Paul Legacki, Infineon Technologies; Oliver Manahan, MasterCard Worldwide; Nick Pisarev, G&D; JC Raynon, VeriFone Systems; Garfield Smith, Oberthur Technologies; John Smith, First Data Corporation. • The Council is currently completing its EMV ecosystem project and developing its 2013 plan.

Transportation • The Council elected its 2013/2014 officers and Steering Committee. New officers are: Chair – Craig Roberts, Utah Transit Authority; Vice Chair, Transit – Jerry Kane, SEPTA; Vice Chair, Tolling – Mike Nash, Xerox. The newly-elected Steering Committee includes: Linh Huynh, INSIDE Secure; Kathy Imperatore, PATCO; Mark Lulic, MasterCard Worldwide; Celine Mantoux, Giesecke & Devrient; Josh Martiesian, LTK Engineering Services; Kenneth Mealey, American Express; Mike Meringer, VeriFone Systems; Pradap Mistry, Cubic Transportation Systems; Eric Reese, Chicago Transit Authority; John Vasilj, Accenture.

Other Council Information • The Access Control Council, Identity Council, and Mobile and NFC Council collaborated on the Mobile Devices and Identity and Access Control Applications workshop for the 2012 Government Conference. • Members-only council web pages are available at http:// www.smartcardalliance.org/councils. These are passwordprotected pages that contain council working and background documents and contact lists. Each Council area has a separate password since Councils may have different membership policies. If you are a Smart Card Alliance member and would like access to a council site, please contact Cathy Medich. • A Council meeting calendar is available on the members-only web site at http://www.smartcardalliance.org/pages/memberscouncil-resources. • If you are interested in forming or participating in an Alliance council, contact Cathy Medich.

Alliance Members: Participation in all current councils is open to any Smart Card Alliance member who wishes to contribute to the council projects. If you are interested in participating in any of the active councils, please contact Cathy Medich.

Smart Card Talk

from the alliance office

New Smart Card Alliance Members • • • • • • • • • •

SunTrust, Leadership Council A LA CARD Marketing and Consulting Services Limited, Associate Member Equinox Payments, General Member Galitt U.S., General Member Kona l Co., Ltd., General Member Sunward Telecom Limited, General Member Vix Technology, General Member Edmonton Transit System, Government American Express, SCALA, Leadership Council ICards Solutions Latinoamerica S.A. De C.V., SCALA General Member

New CSCIP Recipients CSCIP/G • Heather Brooks, XTec, Incorporated • Jonathan Brooks, Global Enterprise Technologies Corporation • Brian Keltner, Wells Fargo • Jonathan McGill, XTec, Incorporated • Chadrick Sine, SAIC CSCIP/P • Sridher Sawminathan, First Data • CSCIP/G and CSCIP/P • Brian Keltner, Wells Fargo For more news, visit our website at www.smartcardalliance.org. Members can also access white papers, educational resources and other content.

191 Clarksville Road Princeton Junction, New Jersey 08550 1.800.556.6828 Fax: 1.609.799.7032 info@smartcardalliance.org www.smartcardalliance.org

Smart Card Talk

About Smart Card Talk

About the Smart Card Alliance

Smart Card Talk is the monthly e-newsletter published by the Smart Card Alliance to report on industry news, information and events and to provide highlights of Alliance activities and membership.

The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology.