Trends in ID Cards
WHEN IT COMES TO UPGRADING ID CARDS, perhaps the biggest operating goal in recent years has been getting them to serve multiple functions. Not only do global businesses want their traveling employees to have one-card access to facilities worldwide, but they also want the cards to work for more than gaining entry through secure doorways. That is leading more companies to move to smart cards with embedded microchips. With their read and write capability, smart cards can be used for everything from financial transactions to time and attendance tracking, equipment and material checkout, healthcare processing, and network logon.
In some cases, the adoption by companies of cards for computer access is the first step in the card’s wider use in a more converged physical/logical access system. “Some companies are realizing that if they don’t upgrade their physical access control at the same time, people start leaving their cards in their computers,” says Perry Levine, a senior director of business development at Buffalo Grove, Illinois-based Siemens Building Technologies.
That dual-use is helping security to justify and pay for cards. “What we see often is that funding is coming from the logical side,” says Levine.
Of course, the more information a card contains and the more functions it serves, the more critical it is that the card itself be secure. One way that companies have improved security is by moving from 125 KHz radio frequency identification (RFID) technology to the more securely encrypted 13.56 MHz variety.
Smart cards come with strong encryption, both among individual card applications and when being read. They work as if they have “multiple little file key cabinets, each with a separate encryption key,” says John Smith, a Honeywell Security marketing manager. Smart cards frequently require the use of a PIN as well and enable additional authentication methods, such as the use of biometrics, which are among the fastest growing security-related applications.
While biometric devices do not always require cards, many organizations have chosen to use the two together. Card-based devices “tend to be faster and more accurate,” because the system only has to do a one-to-one match of the biometric on the card and the live biometric (such as a fingerprint) offered by the user at the time access is requested, says Beth Thomas, a Honeywell product manager. Card-based systems typically generate fewer privacy concerns, she adds, as employees carry their biometric data with them as opposed to it residing in a database.
Smart cards generally make contact with readers, but one recent smart card development is changing that. The technology is called near-field communications (NFC), and it involves loading a small applet on a contact chip, providing the latter with proximity card capability. It allows users to take advantage of smart card applications from a distance.
A handful of companies—mainly in Europe and Asia—are combining NFC technology with cell phones. Since last year, for example, Swiss ID card vendor LEGIC Identisystems has been involved in a joint NFC pilot project with two other Swiss firms, the telecommunications company Swisscom and the vending firm Selecta Management, to offer payments via mobile device. LEGIC plans to expand the use of NFC mobile phones, employing them for local public transportation ticketing, e-payments, as well as hotel room and other kinds of physical access.
Companies are also looking to pack smart cards with more features. One firm, Los Angeles-based Innovative Card Technologies (ICT), for example, is marketing the first card that also offers one-time password (OTP) functionality. The Smart DisplayCard is the size of a credit card; a small button can be pressed to generate a number of six to eight digits in a screen on the upper right-hand corner.
Along with a traditional user name and password, these numbers can be entered to gain Web site access. “It’s a lot more convenient than [OTP] tokens you carry on your key chain,” says Susan Roush, ICT spokesperson. The card contains a smart card chip, permitting the addition of a host of other applications. Marketed primarily to banks and brokerages, it’s already in use at a handful of global organizations.
So far, smart card technology has been more popular outside the United States. It is used far more often in other countries for transactions such as transportation ticketing. Many believe this is changing, however, and that the United States could be pulling ahead, mainly due to efforts by the U.S. Government.
The cards received a major boost with the Bush Administration’s 2004 Homeland Security Presidential Directive 12 (HSPD-12), which mandates that all federal executive departments and agencies issue “secure and reliable forms of identification” to their employees and contractors. A goal is to employ one card for multiple purposes.
The U.S. Department of Defense (DoD), has a separate ambitious program. Its Common Access Cards (CAC) are used for general identification as well as access to computers, networks, and other DoD facilities. Features include a biometric template and the ability to cryptographically sign e-mail.
Perhaps most impressive is how far it has come: About 3 million cards are currently active.
In response to HSPD-12, the National Institute of Standards and Technology issued FIPS-201, concerning security and interoperability standards. It encompasses not just the card but the broader technological solution needed to manage credentials, including enrollment, data capturing, card issuance, and management.
A number of private organizations have been looking to the standard for best practices guidance. They’re also paying more attention to the overall ID management process.
Card technology vendors have been partnering with vendors of financial, human resources, and legal database systems to facilitate having cards interact with these systems. But putting together cards and an assortment of other technologies isn’t always simple. “That’s one of the biggest challenges” in creating end-to-end solutions, says Thomas.
The following case studies illustrate how two companies have transitioned to multifunction card technology using smart cards.
About three years ago, Keith Ward, Northrop Grumman’s director of enterprise security and identity management, and a handful of his staff, began meeting with groups of department managers at a rural Virginia retreat to discuss a major new ID access plan. There was a lot to talk about: what to put on the smart cards, how to go about training, and how to alleviate concerns that might arise.
The plan was to outfit several thousand employees with the card. One badge would substitute for two or three. The single identity would align itself with the successful DoD program.
The system would be automated and would have the ability to grab disparate data from various sources, providing and cross-checking necessary background information to authenticate a person and clear them to be issued a card.
In a series of meetings, Ward and other staff gathered input from a range of managers, including those from security, human resources, and other departments that would play critical roles. The industrial security department would be responsible for the final badge issuances. The “entire process” was discussed, says Ward. Subjects ranged from diplomats’ unique applications to department training to any necessary policy changes.
One area of concern for managers was privacy. Managers knew the card technology’s capabilities. “With its microprocessor, they’re like distributed computers,” says Ward. Managers were also aware of alternative time-management applications at Northrop facilities such as shipyards, says Ward.
Many employees are represented by unions, and it was important to gain their support. Ward says concerns were lowered when he mentioned that unions would “become owners” of sensitive data from time management and other sensitive applications. Most managers were supportive after Ward described the business benefits, such as making it easier to access DoD facilities.
Card format. From the beginning, a major program goal was to closely follow the DoD model. “When we did initial research into a new card system, we found that some 90 percent of our existing contracts mentioned FIPS-201 or had similar requirements for proofing and vetting,” says Erik Bowman, a Northrop systems engineer.
The majority of the card’s technological format is laid out in a DoD publication. Each would contain 64k microprocessors, biometric templates, embedded antennas, magnetic (mag) stripes, and Triple DES encryption.
Initially, the goal was just to put a few applications on the cards, including physical access, computer sign-on, and online network portal entry. With DoD and other federal agencies, portal access has been one of the fastest-growing smart card applications in recent years. The mag stripe and other components would be used for applications such as time-keeping.
The computer sign-on functionality would be a move to two-factor authentication. Employees would enter a user name and password; they would then insert the card into a reader and enter a PIN on the keypad.
Each card would have the ability to use biometrics but only the more sensitive positions would activate that capability. That might, for example, apply to Northrop Grumman personnel who had to work in a battlefield situation with the DoD. In that case, the card would be inserted into a reader; the user would provide a live fingerprint while the reader examined the stored biometric template; then the user would provide the PIN for three-factor authentication.
System software. In addition to the cards, there would be the software, running the system, which would allow access to various human resource and access control databases. With the old system, information about a new employee’s physical access and computer access privileges would be segregated. With the new system, it was interconnected and access to the most recent updates was automated.
Automation is important, Bowman says, especially with 130,000 employees. In this case, only the first time card issuance typically requires human authorization, he says.
Inside job. Northrop took an unusual step for the firm, turning to a normally external-facing business unit to set up the card databases. About six units with expertise in ID access and security were given the opportunity to submit proposals. The goal was to hone the unit’s ID access skills, building experience that could also be leveraged for outside work.
Each aspect of the overall program was segmented into a project for one of the teams, and it was set up to have quarterly deliverables. Last year, there were 21 projects, says Ward. They ranged from placing contractors in an active directory to the training and quality standards surrounding fingerprinting.
In another unusual step, Northrop also brought in a Six Sigma team at the project’s start rather than after its completion. The team helped define a strong investment return, says Ward.
Supplies. Once the card databases were worked out, it became far easier to contract with vendors, he says. The company sought vendors with DoD ID access experience, says Ward. A proof of concept was released about mid-2006. One winning bidder was Novell, which would supply the bulk of the new software and hardware. It had both private sector and public sector experience, including with DoD. One selling point was that both the software and hardware are highly flexible, says Bowman.
Training. While staff had been consulted in the planning phase, as the startup date approached, it was also important that staff get specific instructions in how the cards should be used. The message to employees was reinforced through written documentation describing some of the system’s benefits and how it would work. Basic instructions were given in areas such as card insertion; an 800 number to the helpdesk was provided.
Local authorities were trained on issuing the cards. The company took a subset of helpdesk workers and did tier-one and tier-two support training. They were taught some troubleshooting basics to make sure that they would be able to respond quickly to problems, such as how to free up a card that had been frozen after too many wrong PIN entries.
Cost. Although declining to discuss what it has cost to purchase and install the system, Bowman anticipates cost savings. While helpdesk calls grew during roll-out, they’re now down to lower levels than before, he says, which should help cut labor costs. Employees are also now using one card in place of two, three, or more. Each card costs about $7 to $10.
Challenges. Getting all the technology to work together was sometimes challenging, says Bowman. In one case, bad cards were delivered and had to be reissued. When problems occurred, it was sometimes difficult to assess the cause, both in terms of the technology and the human factor. Was it a user problem? A vendor problem? “Everyone points fingers at one another on performance issues,” Bowman notes. But the experience has helped Northrop learn to isolate technical problems and ensure that “vendors put in the fixes,” he says.
Approval. Another challenging aspect of the initial roll-out was adjusting the governance. A major goal was to get the system to be FIPS-201 compliant. That meant that, among other things, information collection had to be handled a certain way, he says. Ward says it helped to use a government auditor, the General Services Administration’s Electrosoft.
Timing. Recently, the firm finished rolling out the initial installation. Northrop’s now experimenting with additional three-factor authentication methods. The new card readers Northrop bought for desktops, for instance, come with fingerprint readers, which could be broadly used at some point. The cards can also be programmed to serve as the logon access control mechanism for many additional Web platforms.
Online programs that staff now access by providing usernames and passwords could be switched over to digital certificate authentication. Cards may also be used for financial purposes, such as with Northrop’s Federal Credit Union, or possibly tied to a corporate card. “We’re just scratching the surface with the cards’ capabilities,” says Bowman.
In late 2005, PricewaterhouseCoopers (PWC) was planning to consolidate its 13 Zurich, Switzerland, offices into new headquarters. The company saw the consolidation as a way to generate efficiencies. One way it would do so was by fitting multiple applications on one smart card. The company did just that in 2006 via a system from LEGIC.
It was a significant technological leap. Until then, the offices had relied mainly on keys, says Corina Gerber, senior facilities manager. Some offices had relatively simple cards containing the user’s name and the PWC logo.
In addition to being used for building, elevator, and garage entry, the new cards help facilitate an office timesharing arrangement. With the cards, users rent one of about 100 of the headquarters’ temporary workstations. A number of the central office’s 1,200 employees work at their clients’ sites, but they can use the card to gain access to any of the temporary stations when visiting headquarters.
Employees can also use the card to purchase food from the cafeteria and snack machines. The card can hold credit for about 100 Swiss Francs.
They also grant access to the company’s multifunctional devices that can print, scan, make copies, and send faxes. In the system, which PWC calls “Follow & Secure,” employees go to an assigned fax/copier/printer/scanner on their floor and insert their card to access print jobs or initiate document scanning. This way employees are near their print jobs and, therefore, less likely to forget them.
The card, which also contains a fingerprint biometric of the cardholder, is used after hours for access to the building.
Initially, some employees seemed hesitant to give their print because of privacy concerns, says Gerber. Some concerns were allayed when PWC communicated that the device uses just five fingerprint points, a far less detailed method than that used for criminal investigations. Now that the system is in place, she says, new employees “just see it as an acceptable part of processing on their first day.”
The new system’s far more secure than the previous one, she says. One reason is the controllability. “If someone leaves, the badge can be automatically deactivated,” notes Gerber.
As an added precaution, PWC’s name is not on the cards. Thus, even if a lost or stolen card were found before it was reported and deactivated, a person would not know what it granted access to.
The new system is far more convenient and faster than keys, Gerber adds. The cards use the 13.56 MHz RFID proximity technology, which has stronger encryption than the more common 125 KHz version.
As with Northrop’s implementation, Gerber says, one of the biggest challenges was working with vendors and card suppliers on the technology. “In some ways, the only way to find out is while you’re working with it,” she says.
But lessons were learned, which will help when the company implements the system in other offices elsewhere in Switzerland, Gerber notes, adding: Having the same system across all organizations has become an important goal.
John Wagley is an associate editor at Security Management.