The Smart Cards Are Coming... Really
Mark Twain once famously quipped that rumors of his death were greatly exaggerated. Turn that joke on its head to get an idea of the hype surrounding smart-card and biometric technology: In this case, it is rumors of their use that have in the past been greatly exaggerated.
That’s not the case anymore. Particularly since the tragedies of 9-11, smartcard and biometric use has indeed been on the rise. Some statistics tell the story. According to EuroSmart, an international smart-card association, more than a billion microprocessor cards were shipped globally in 2004, up from some 815 million the year before. Biometrics is already a billion-dollar business, and it is expected to nearly quintuple in four years. Security-related uses include banking applications, identification, and physical access.
Several government initiatives are driving smart-card growth, including a new Presidential Directive, the Patriot Act, and the Gramm-Leach-Bliley Act. Just as important as the regulatory environment are the technological advances in smart cards and biometrics.
Inside the card. Advances in chip technology are making smart cards more powerful and thus more appropriate for new applications. Today’s smart cards are nothing less than single-chip computers with extensive memory, explains Neville Pattinson, director of business development and technology for Axalto America. The company produces high-end smart cards and creates the operating systems that the chips run.
A note on terminology. The term “smart cards” is used to describe different types of cards, from cards that simply carry data in memory to those that can carry out sophisticated processing of data. As used in this article, “smart cards” refer to cards fitted with a microprocessor chip that can dynamically process data.
This terminology, notes Dovell Bonnett, director of partners and alliances with HID, is not strictly accurate; these chips are actually microcontrollers, or what might be thought of on a computer as the motherboard, rather than simply a single part of the motherboard. However, given the widespread use of “microprocessor” to describe these chips, this article will use that term.
Smart-card technology has advanced remarkably, experts say, in terms of both the amount of memory a single chip can store, and with regard to the power of the chip itself. Current smart cards have 64 kilobytes of memory, but, says Pattinson, “I’m sure 128, 256, 512 kilobytes of data will become available on smart cards” in the not-too-distant future. He says that advances in silicon geometry will allow the chips to become ever more powerful, with the only limitation being the space available on the card itself. “We have 5 x 5 millimeter physical size to fit [the chip] into,” he says.
It’s not only the chips that have changed, but also the way they work. The change began in the late 1990s with the introduction of the Java card, which allows multiple functions, protected by firewalls, to coexist on a single card. Java cards also allow new functions to be added.
Java card. To understand how previous types of smart cards—what Pattinson terms “file-system cards”—differ from the Java card (created by Axalto, using Sun Microsystems’ Java technology), Pattinson gives the example of an electronic-wallet application in which a card would hold balance information. “If you wanted to change [the balance], you had to modify the information off the card, and send it back to the smart card and store it back in the file,” he says.
The Java card provides all that functionality within the card, meaning that data can be stored and modified safely within the card itself. So, for example, a command to deduct three dollars from the card’s balance would be sent to the card, rather than pulling the balance off the card and carrying out the operation. Keeping the data on the card adds additional security. Similarly, as discussed in a following section on biometrics, matching a person’s biometric template (from, say, a fingerprint) to one stored on a card can be carried out on the card itself, meaning that organizations do not need to keep large databases of biometric information if they merely want to verify that the person presenting an ID card is the person authorized to have that card.
Java cards are capturing an increasingly large part of the smart-card market. Sun Microsystems announced at a recent trade show that more than 750 million Java cards have already been deployed. That represents a growth of more than 50 percent in a single year, according to Sun.
Applets. Java cards work through what are called “applets,” tiny programs that carry out individual applications, Pattinson says. A small piece of software called a virtual machine interprets these applets and the proper operations are then carried out by the microprocessor. Each applet is isolated from the others with a firewall as an added layer of security. Java cards can have many applets, making them multifunctional. For example, one applet could provide the e-wallet functionality, another could allow access to a building, another could be used for biometric authentication.
What makes these applets so attractive is that anyone with a software development kit and some knowledge of Java can create an application, meaning it can be precisely tailored to any business environment.
This capability may raise fears that a malicious applet that would compromise security could be loaded onto a card. However, Java cards have built-in security measures such as an authentication process and digital signing procedures that verify that the applet being loaded is authorized. In addition, the firewalls prevent applets from interacting with an existing applet. Consequently, “only the people who issue the cards have control over which applets will ultimately go on and be operational on those cards,” Pattinson says.
Other innovations. There are other trends worth noting with regard to smart cards, such as contactless cards, hybrid cards, and new generations of smart-card readers.
Contactless. Bonnett notes that traditional 125 kHz prox cards are read-only, meaning they can hold and store—but never change—any information. The company’s new contactless iClass line is far more sophisticated and, at 13.56 MHz, far more powerful. “With a lot of the new technology we’re doing with iClass and our other contactless technologies, we do have processing capabilities on the card,” such as the ability for a new code to be created on a card each time it is held up to a reader, for added security. Bonnett says that iClass is a microcontroller-based technology, just in the contactless realm. The number and types of applications it can perform are limited because it doesn’t use the Java operating system.
The faster processors of these cards allow benefits such as faster data processing and throughput. The greater memory means that the cards could do more than simply allow or deny access. They could hold information such as an employee’s medical history, encryption algorithms, and biometric identifiers.
Contactless cards have other benefits as well. For example, they add durability to the mix. “From a physical-access point of view, we do not want to put up insertion contact readers,” says Andrew Bulkley, senior director, product strategy enterprise solutions with GE Infrastructure, Security. Customers prefer contactless readers, because the insertion readers tend to be high maintenance thanks to wear-and-tear as cards are run through them. Corey Kirschner, director, border control solutions at Unisys says that the contactless cards last longer as well. “Chips get rubbed off and worn out,” he says. “The federal government, in the Common Access Card in the DoD, is exploring contactless cards because of the durability issue. It’s faster, and you don’t have to touch anything.”
Hybrid cards. The promise and cost savings of smart cards can be offset by the expenses associated with making a transition from, say, a mag-stripe card used for physical access to a smart card with fingerprint biometric data on board.
The key is to find a way to transition without completely replacing the old system. These new systems need some level of backwards compatibility because of the enormous expense of purchasing new cards and readers and installing new systems, not to mention getting workers enrolled, according to Mark Freundlich, president of Indala, which makes access-control devices including cards and readers.
“One of the biggest areas of growth we see in the market are multitechnology or combination cards that are assisting people in the change from legacy [systems] to higher levels of reader technology,” Freundlich says.
“A hybrid card has multiple technologies residing on a common platform that do not share information and do not communicate with each other,” says Bonnett. With hybrid cards, companies can “take some of their existing installed technologies and add more value to that same platform by adding additional technologies onto it. We take our prox card and add a contact smart module to it, and now you’ve got capabilities there you didn’t have before,” he says.
“You can put a lot of different technologies onto this little piece of plastic,” including mag stripes, bar codes, and optical character recognition (OCR) codes, adds John McKeon, principal, biometrics and smart cards, IBM Global Services. These cards can also be contact and contactless.
Putting various technologies on a single card helps achieve compatibility with legacy systems and makes the transition to a smart card/biometric environment smoother, both important considerations for a business, says Bulkley.
McKeon gives an example of a customer that uses a hybrid card as a migration platform. “I have an old physical access system that’s, say, mag stripe, and I want to move to a contactless technology over time. I’m not going to replace 10,000 readers overnight. What I’m going to do is replace 100 readers per quarter. By putting both the contactless smart card and a mag stripe onto the ID badge, I can now upgrade that physical access system at my own pace.”
Another benefit of these cards is that there’s a built-in backup system in case one part of the card has a problem, says Bonnett. “If one of the technologies fail for whatever reason, the rest of the card is still accessible and usable,” he says. He compares hybrid cards to dual-technology cards where both technologies are on one chip. In these, “a single piece of silicon is able to do both contact and contactless” interfaces. But “if the chip fails, it fails for everything,” he says, adding that these cards are also more difficult to manufacture.
Readers. Cards with both contact and contactless interfaces are, as noted previously, becoming more common. Card readers are beginning to have some of the same functionalities, says HID’s Bonnett. He notes that companies such as OMNIKEY have a dual-interface reader that can read both contact and contactless cards.
Costs. Despite growing capabilities, smart cards have not caught on in the United States as fast as in Europe. One of the groups that seem likely adopters—credit card issuers—have been slow to take the plunge. These companies are still not sold on smart cards, in large part because the cards are not deemed economical, says Joel Lisker, senior vice chairman of Dudinsky Lisker & Associates and former senior vice president of security and risk management for credit-card giant MasterCard International.
A credit card can be produced (prior to personalization) for about 26 cents, while microprocessor-chip cards can run between one and three dollars apiece, says Lisker. “Fraud is running about six or seven basis points—in other words, six or seven one-hundredths of one percent—so it’s hard to justify in a business case paying that kind of money when you’re issuing 40 million cards,” he says. “The cost of the solution outweighs the risk, and that’s been the holdback” to wider use of these cards.
“That’s always been a challenge on the financial services side,” agrees Bryan Ichikawa, a smart-card expert and a solutions architect with Unisys. “The saying is that the fraud pain threshold that the smart card would otherwise mitigate is not high enough to overcome the price of the card itself,” he says.
Ichikawa also points out that a switch to smart cards, with or without biometrics, involves more expenses than just the new cards. “The cost is not just for the card but you have to have readers, so now you’re talking about not only the issuing side but from the acquiring side. You’ve got all those merchant terminals that have to be retrofitted to handle smart cards,” he says, “and that’s a tremendously large expense.”
Biometrics. Technological advances are also occurring in the biometric industry, whose fortunes are closely aligned with smart cards, because the latter is often the delivery mechanism for the former.
There are many biometric technologies, from obvious to obscure (these latter include systems that would analyze odor, gait, or vein structure), but the most commonly implemented systems are fingerprints, iris scans, face recognition, and hand geometry. These technologies vary not only in terms of their accuracy but also in the types of applications and facilities for which they are best suited.
Fingerprint. According to research from the International Biometric Group, fingerprint technologies have nearly half of the market share of biometric technologies (hand geometry and facial recognition are about equal with 11 and 12 percent of the market respectively, and iris represents 9 percent).
Particularly for government facilities, fingerprints tend to be the biometric of choice. They have always been among the most accurate of biometric options, and they are getting better and less expensive. “Over the last 24 months, the technology around the capacitor sensors [used in fingerprint readers] has improved dramatically,” while prices have fallen, says Gary Bradt, vice president of the biometrics division of Silex America, which makes fingerprint readers.
Those improvements may help overcome the technology’s shortcomings, such as a high failure-to-enroll rate. This is the number of people who for some reason are unable to reliably and repeatedly generate a good image; for example, a test by the Federal Aviation Administration in 2001 found that two out of 38 users—more than 5 percent—“were unable to enroll because of the poor quality of their fingerprints,” according to a report by the Government Accountability Organization (GAO).
The accuracy of this type of biometric is enhanced greatly when more than one finger is used in a scan. A recent evaluation of competing fingerprint technologies by the National Institute of Standards and Technology (NIST) showed that a system from NEC had a true-accept rate of 98.6 percent when one finger was scanned; 99.6 percent when two fingers were considered; and higher than 99.9 percent when four, eight, and ten fingers were tested. On the other hand, the NIST report showed that accuracy drops as the age of subjects increases, “particularly for subjects over 50 years of age.”
One problem facing fingerprint systems, and other systems that require a user to put a finger or hand in a place where countless others have also put theirs, is hygiene. A report from the GAO on the use of technology to secure federal buildings noted, “Certain groups of individuals resist using biometric devices because of hygiene issues.” This situation was particularly noticeable in some Asian countries at the height of the SARS epidemic, a concern that has declined as the disease has, says Teresa Wu, marketing specialist for biometric vendor Sagem Morpho, Inc.
Another issue has been a high failure-to-acquire rate, in which image quality is unacceptable. In particular, fingerprint scanning in environments where users may have dirty, greasy, or even nicotine-stained fingers can be prone to problems. One company, Ultra Scan, believes that it has found a way to overcome this issue with an ultrasonic fingerprint scanner.
“It works the same as ultrasound,” explains John K. Schneider, president of the Amherst, N.Y.-based company. “It can image through multiple mediums,” including some types of latex gloves (such as those that may be worn in a hospital). Schneider demonstrated the system by drawing a large X across his fingertip with a Magic Marker and then scanning that finger. The fingerprint image was untainted by the marker.
Iris scans. Iris scans are the most accurate of the biometric technologies. A report by the U.K.’s National Physical Laboratory (NPL) showed that iris scans had significantly fewer false accepts than other biometric technologies. This is one reason this type of biometric is often deployed in high-security areas.
In the past, iris scanning was seen as having some drawbacks. For example, participants needed to be very close to the scanning device, making it awkward and thus not appropriate for high-volume situations. That’s beginning to change, according to Tarvinder Sembhi, product management and business development director of Iridian, a maker of iris-recognition technologies.
“Currently the imagers that are available work anywhere from a couple of inches to about two feet away,” Sembhi says. “There are people who are doing some R&D to have iris at a greater distance, but those are not in production, they’re still in the research stage.” Ed Schaffer, director, positive identification, access control solutions, and homeland security with Unisys, says that one company he is familiar with has shown that it can scan irises from more than 10 feet away.
Iris scans are being tested by the government in the Transportation Worker Identity Card program, which is simultaneously testing fingerprint technology. Iris scans are also in use at several airports as part of the Registered Traveler pilot program.
In the private sector, iris-scan technology is being used to secure sites such as data centers and nuclear facilities that merit top security. It is also used as an internal layer of security for cash rooms, pharmacies, and patient ID systems in healthcare facilities, says Keith Kanestrin, Panasonic’s marketing manager.
And in a few cases, such as in an environment where people work in protective suits with gloves and where faces are covered, iris may be the only alternative, says David B. Johnston, vice president of marketing, Iris Technology Division LG Electronics U.S.A. Inc. Iris scans work through vision goggles and masks, he says.
Sometimes the iris-scan technology is added as a second biometric, Bradt says. In other cases, it’s not only to add another layer of security, but also because end users are reevaluating earlier implementations.
“Right now every nuclear facility in the U.S. is using some form of biometric,” says Johnston. “But I believe they recognize the limits of the biometrics they may have bought years ago, which may not be doing what they need in a security environment that’s radically changed.”
The accuracy of iris scans comes at a price. “The cost difference between a proximity card and reader and an iris/smart card and reader is significant,” says Kanestrin. “An iris reader costs about $4,000, while prox readers are about $100 per door,” he says. As volume goes up, costs come down a little, he adds.
As for the future, Kanestrin says he expects processing power to be upgraded for faster searching of larger databases in 2005. In addition, he says, his company’s systems currently scale to 5,000 users. He expects that to double in the coming year.
Hand geometry. Hand-geometry devices have frequently been implemented in areas where rejects would cause inconvenience. For example, it is being used at San Francisco Airport to verify employee identities at access points, while the Port of Rotterdam recently rolled out a project to verify truck drivers entering and exiting the port using hand geometry in conjunction with a smart card. This type of biometric has a higher false-accept rate than fingerprints, but a lower false-reject rate, according to the NPL report.
Hand-geometry readers have some advantages over other technologies, including cost. A GAO report on biometrics notes that “no personnel costs are incurred because most hand-geometry devices are typically unattended.” In addition, hand-geometry readers require little training for users. However, technologists from Northrop Grumman say that they are familiar with one large-scale implementation in which the hand-geometry readers were removed from a turnstile entrance and replaced by another technology within a few days, because users were having difficulties in putting their hands in the proper position, and thus lines for entry were becoming lengthy.
IR Recognition Systems says that it is currently working on the next generation of hand geometry, which it expects to offer in late 2005. “We are changing the algorithm and the way in which the camera views the hand,” says Bill Spence, the company’s director of marketing. The company’s plans are ambitious. If expectations are met, Spence says, it will result in a tenfold decrease in the false-accept rate, an enormous improvement, though still far from the accuracy of an iris scan.
Face recognition. Face recognition has an important distinction: it is the only biometric that can be confirmed quickly and easily by a human, meaning that a guard can visually confirm the identity of someone who may have been falsely rejected. It is frequently used for surveillance measures, where users may not be aware that they are being scanned and their faces matched against a database.
While face recognition is less intrusive to users than other biometrics such as iris scans, it is also less accurate; the GAO report on biometrics points to attenuating factors such as camera performance, facial position, expression, and changed features (a beard or sunglasses, for example). The report notes that the technology is most effective “when used in consistent lighting with cooperative subjects in a mug-shot-like position.”
Face-recognition technology did not stand up well against fingerprint scanning, according to a 2004 report (the most recent available) of fingerprint systems by the National Institute of Standards and Technology, which concluded that “the most accurate fingerprint systems are more accurate than the most accurate facial recognition systems.”
But the technology for recognizing faces is improving, says Schaffer, who notes that companies are spending “significant amounts of dollars” on replacing two-dimensional with three-dimensional face-recognition technology. The update will help overcome problems that arise from differences in lighting conditions between the enrollment and the query image, and the limited amount of information that can be derived from a 2D image.
For example, San Jose, California-based Geometrix recently introduced its FaceVision System. This system comprises two small cameras flanked by a set of lights. In a test, it took about six seconds to acquire an image to enroll. However, the image that was acquired could be rotated through many angles (this would allow, for example, a 3D image to be compared to a 2D image that was acquired from a ceiling-level surveillance camera).
The system is already in use at the Cobb County Adult Detention Center in Georgia, where it is used to identify prisoners entering and exiting the facility. Typical performance specifications show the system has a false acceptance rate below 0.1 percent and false rejection rate of less than 3 percent, says sales engineer Steve Macdonald.
Geometrix is also rolling out a hand-held biometric computer that will allow police officers to use a PDA-size device to photograph a suspect in either 2D or 3D for facial recognition, take a fingerprint, scan an iris, and read a bar code. These data can then be sent wirelessly to police databases for rapid identification.
Biometric interoperability. Though advances have been made in the various biometric technologies, the biometrics industry as a whole has been hampered by the number of different technologies that exist. “Interoperability is one of the foremost challenges for the biometric industry for stimulating growth to forward its emergence, especially in the private sector,” says Kyoko Kaneda, a consultant with the International Biometric Group (IBG).
Concerns over trade secrets, such as the algorithms used to convert an image into a numerical template, have long been a significant obstacle to achieving interoperability.
“Each of those biometric images are stored on the card differently depending on the technology and the vendor, and there needs to be more of a uniform, standard way that allows that information to be retrieved and recorded accurately when there are multiple vendors” involved, explains Randy Vanderhoof, executive director of the Smart Card Alliance.
BioAPI. The interoperability problem may be solved thanks to several standardization efforts, including the BioAPI Consortium, a group of biometric vendors supported by NIST. The consortium is creating an open-system standard application program interface (API) that will allow software applications to communicate with a range of biometric technologies. Kaneda says that the group “is working to standardize a lot of these systems so that multiple biometric solutions can be used across multiple platforms.”
With the BioAPI Standard, “you can have a single template out there and be able to use that on multiple manufacturers’ readers,” says Bulkley. “I think that will drive acceptance of those technologies.” Kaneda agrees, saying that the movement on an interoperability standard has influenced IBG’s projection of the growth of the biometrics industry from just over $1 billion in 2004 to $4.6 billion by 2008.
Vanderhoof notes that the smart-card industry has long had an open standard, such as the “Open Platform” developed by Visa that has evolved into Global Platform, an international organization that maintains specifications for smart cards. There are also standards issued by the ISO and the federal government’s Government Smart Card Interoperability Specification (GSC-IS).
“There’s always been the need to have an open architecture so that multiple suppliers of cards and applications on those cards can be read interchangeably in different systems,” says Vanderhoof. He hopes that his colleagues can provide a good example to their biometric brethren. “The smart-card industry can bring that level of experience to the biometrics industry, encouraging them to come up with similar open standards for storing the biometric data on the smart card,” he says.
Combining the technologies. Some see the combination of these two maturing technologies as inevitable. “Biometry has been around for a long time, and the same as with smart cards, it’s always been purported to be the overnight success,” says Indala’s Mark Freundlich. “It’s been a very long night,” he quips, “but we do see daylight coming for both of these technologies, and they’re really very complementary.” He says that the most common marketplace trend is to store biometric data on the smart card itself.
Match-on. Keeping a user’s biometric data on a card, and not pulling it off to match it against a database, adds security and helps protect the privacy of the cardholder. Take, for example, a recent pilot program in Texas for some 30,000 Medicaid members. In this program, in which Axalto participated along with several other vendors, the members were given a smart card that contains a biometric identifier—in this case, a fingerprint, says Pattinson.
The number of participants, as well as privacy concerns, meant that creating an enormous database containing these members’ biometric information would be unwieldy at best, and a potential source of litigation. Therefore, the pilot uses “match-on” cards, where the matching function is done entirely within the card.
When a card and a cardholder’s finger are presented to an electronic reader, a mathematically derived template (rather than an image) of the fingerprint stored on the card is compared on the card’s processor with the template scanned by the reader. A match proves that the cardholder is indeed the person entitled to the Medicaid services.
“You don’t have to have an online environment, and you don’t have to have a big biometric database waiting in the wings” when performing match-on-card, Pattinson says. “This is all done by the card and the terminal at the time of use.”
Logical access. A smart card with embedded biometric data can help to bridge the nexus between physical and IT security by being used for logical as well as physical access. That would help to prevent or deter insider crimes, McKeon says. A problem that he sees often when IBM performs vulnerability assessments on clients is that it’s too easy for an insider to get access to confidential customer information or other company data that the employee is not authorized to see.
He says that one way to prevent these crimes is to have a desktop reader that is used along with a biometric scanner. Plug the card into the reader and then, say, scan a finger, and a user can be authenticated and logged into the system. Several iris-scan providers, such as Panasonic and LG Electronics, also have computer-access applications.
“It’s not good enough just to know who’s walking in the front door and signing the guest book,” McKeon says. “You need to be able to strongly authenticate who’s getting on the system, who’s performing transactions, and so on.” This audit trail is also of value in meeting regulatory requirements.
Convenience. New generations of smart cards with embedded biometric data can offer a convenience factor for users, because passwords can be loaded onto the card, meaning that a user no longer has to remember them. As a result, an administrator could use very long and complex passwords and change them regularly, all without any action on the part of the user. Cards can even hold digital-certificate data, thus eliminating a major weakness of PKI schemes—the danger of storing certificates on a computer where they are threatened by compromise.
McKeon says that businesses are seeing real cost savings from the trend toward smart cards and embedded biometrics because it dramatically decreases the amount of time that IT administrators spend resetting passwords forgotten by users, which can cost around $40 per change.
Some financial services companies that have not yet moved to combination smart cards are beginning to make slow transitions to biometrics separate from the card in part to reduce password-resetting costs, says Schaffer. “One of the interim steps is to use a voice- recognition password-reset solution,” he says. Rather than bothering the help desk, a user would call in and be connected to a computer and then would use a preregistered phrase to voice authenticate. If the voice is authenticated, the computer resets the password.
Government proving ground. Government-led efforts to embed biometric data into smart cards and then get those cards into the hands of government workers and contractors will be a big part of getting the public to accept and become comfortable with these technologies, says Bob Sawyer, president and chief technology officer of AMAG, a manufacturer of electronic access control systems.
Sawyer says that some estimates put the number of cards to be issued under a developing government-wide standard for secure forms of identification as high as 60 million. “When you start having that type of presence of card, and the fact that it’s with government contractors, it will move into the commercial world” more easily, he says.
But the commercial world is taking its own steps to popularize biometrics. At the same time that IBM announced its Secure Identity Management Solution late last year (for more on this, see sidebar, page 48, “Integrating Biometrics and Smart Cards”), it demonstrated a new IBM ThinkPad laptop with a built-in fingerprint scanner. By sliding an index finger across the sens