You have heard it before, but this time technological advances and security demands in a post 9-11 world make the move to smartcards more likely. Mark Twain once famously quipped that rumours of his death were greatly exaggerated. Turn that joke on its head to get an idea of the hype surrounding smartcard and biometric technology: In this case, it is rumours of their use that have in the past been greatly exaggerated.
That is not the case anymore. Particularly since the tragedies of 9-11, smartcard and biometric use has indeed been on the rise.
Some statistics tell the story. According to EuroSmart, an international smartcard association, more than a billion microprocessor cards were shipped globally in 2004, up from some 815 million the year before. Biometrics is already a billion-dollar business, and it is expected to nearly quintuple in four years. Security-related uses include banking applications, identification, and physical access.
Several government initiatives (in the US) are driving smartcard growth, including a new Presidential Directive, the Patriot Act and the Gramm-Leach-Bliley Act. Just as important as the regulatory environment are the technological advances in smartcards and biometrics.
Inside the card
Advances in chip technology are making smartcards more powerful and thus more appropriate for new applications. Today's smartcards are nothing less than single-chip computers with extensive memory, explains Neville Pattinson, director of business development and technology for Axalto America. The company produces high-end smartcards and creates the operating systems that the chips run.
A note on terminology. The term 'smartcards' is used to describe different types of cards, from cards that simply carry data in memory to those that can carry out sophisticated processing of data. As used in this article, 'smartcards' refer to cards fitted with a microprocessor chip that can dynamically process data.
This terminology, notes Dovell Bonnett, director of partners and alliances with HID, is not strictly accurate; these chips are actually microcontrollers, or what might be thought of on a computer as the motherboard, rather than simply a single part of the motherboard. However, given the widespread use of 'microprocessor' to describe these chips, this article will use that term.
Smartcard technology has advanced remarkably, experts say, in terms of both the amount of memory a single chip can store, and with regard to the power of the chip itself. Current smartcards have 64 kB of memory, but, says Pattinson, "I am sure 128, 256, 512 kB of data will become available on smartcards" in the not-too-distant future. He says that advances in silicon geometry will allow the chips to become ever more powerful, with the only limitation being the space available on the card itself. "We have 5 x 5 mm physical size to fit [the chip] into," he says.
It is not only the chips that have changed, but also the way they work. The change began in the late 1990s with the introduction of the Java card, which allows multiple functions, protected by firewalls, to coexist on a single card. Java cards also allow new functions to be added.
To understand how previous types of smartcards - which Pattinson terms 'file-system cards' - differ from the Java card (created by Axalto, using Sun Microsystems' Java technology), Pattinson gives the example of an electronic-wallet application in which a card would hold balance information. "If you wanted to change [the balance], you had to modify the information off the card, and send it back to the smartcard and store it back in the file," says Pattinson.
The Java card provides all that functionality within the card, meaning that data can be stored and modified safely within the card itself. So, for example, a command to deduct money from the card's balance would be sent to the card, rather than pulling the balance off the card and carrying out the operation. Keeping the data on the card adds additional security. Similarly, as discussed in a following section on biometrics, matching a person's biometric template (from, say, a fingerprint) to one stored on a card can be carried out on the card itself, meaning that organisations do not need to keep large databases of biometric information if they merely want to verify that the person presenting an ID card is the person authorised to have that card.
Java cards are capturing an increasingly large part of the smartcard market. Sun Microsystems announced at a recent trade show that more than 750 million Java cards have already been deployed. That represents a growth of more than 50% in a single year, according to Sun.
Java cards work through what are called 'applets,' tiny programs that carry out individual applications, Pattinson says. A small piece of software called a virtual machine interprets these applets and the proper operations are then carried out by the microprocessor. Each applet is isolated from the others with a firewall as an added layer of security. Java cards can have many applets, making them multifunctional. For example, one applet could provide the e-wallet functionality, another could allow access to a building, another could be used for biometric authentication.
What makes these applets so attractive is that anyone with a software development kit and some knowledge of Java can create an application, meaning it can be precisely tailored to any business environment.
This capability may raise fears that a malicious applet that would compromise security could be loaded onto a card. However, Java cards have built-in security measures such as an authentication process and digital signing procedures that verify that the applet being loaded is authorised. In addition, the firewalls prevent applets from interacting with an existing applet. Consequently, "only the people who issue the cards have control over which applets will ultimately go on and be operational on those cards", Pattinson says.
There are other trends worth noting with regard to smartcards, such as contactless cards, hybrid cards, and new generations of smartcard readers.
Bonnett notes that traditional 125 kHz prox cards are read-only, meaning they can hold and store - but never change - any information. The company's new contactless iClass line is far more sophisticated and, at 13,56 MHz, far more powerful. "With a lot of the new technology we are doing with iClass and our other contactless technologies, we do have processing capabilities on the card," such as the ability for a new code to be created on a card each time it is held up to a reader, for added security. Bonnett says that iClass is a microcontroller-based technology, just in the contactless realm. The number and types of applications it can perform are limited because it does not use the Java operating system.
The faster processors of these cards allow benefits such as faster data processing and throughput. The greater memory means that the cards could do more than simply allow or deny access. They could hold information such as an employee's medical history, encryption algorithms, and biometric identifiers.
Contactless cards have other benefits as well. For example, they add durability to the mix. "From a physical-access point of view, we do not want to put up insertion contact readers," says Andrew Bulkley, senior director, product strategy enterprise solutions with GE Infrastructure, Security. Customers prefer contactless readers, because the insertion readers tend to be high maintenance, thanks to wear-and-tear as cards are run through them. Corey Kirschner, director, border control solutions at Unisys says that the contactless cards last longer as well. "Chips get rubbed off and worn out," he says. "The federal government, in the Common Access Card in the DoD, is exploring contactless cards because of the durability issue. It is faster, and you do not have to touch anything."
The promise and cost savings of smartcards can be offset by the expenses associated with making a transition from, say, a mag-stripe card used for physical access to a smartcard with fingerprint biometric data on board.
The key is to find a way to transition without completely replacing the old system. These new systems need some level of backwards compatibility because of the enormous expense of purchasing new cards and readers and installing new systems, not to mention getting workers enrolled, according to Mark Freundlich, president of Indala, which makes access-control devices including cards and readers.
"One of the biggest areas of growth we see in the market are multitechnology or combination cards that are assisting people in the change from legacy [systems] to higher levels of reader technology," Freundlich says.
"A hybrid card has multiple technologies residing on a common platform that do not share information and do not communicate with each other," says Bonnett. With hybrid cards, companies can "take some of their existing installed technologies and add more value to that same platform by adding additional technologies onto it. We take our prox card and add a contact smart module to it, and now you have got capabilities there you did not have before," he says.
"You can put a lot of different technologies onto this little piece of plastic including mag stripes, bar codes, and optical character recognition (OCR) codes", adds John McKeon, principal, biometrics and smartcards, IBM Global Services. These cards can also be contact and contactless.
Putting various technologies on a single card helps achieve compatibility with legacy systems and makes the transition to a smartcard/biometric environment smoother, both important considerations for a business, says Bulkley.
McKeon gives an example of a customer that uses a hybrid card as a migration platform. "I have an old physical access system that is, say, mag stripe, and I want to move to a contactless technology over time. I am not going to replace 10 000 readers overnight. What I am going to do is replace 100 readers per quarter. By putting both the contactless smartcard and a mag stripe onto the ID badge, I can now upgrade that physical access system at my own pace."
"Another benefit of these cards is that there is a built-in backup system in case one part of the card has a problem," says Bonnett. "If one of the technologies fail for whatever reason, the rest of the card is still accessible and usable," he says. He compares hybrid cards to dual-technology cards where both technologies are on one chip. In these, "a single piece of silicon is able to do both contact and contactless" interfaces. But "if the chip fails, it fails for everything," he says, adding that these cards are also more difficult to manufacture.
Cards with both contact and contactless interfaces are, as noted previously, becoming more common. Card readers are beginning to have some of the same functionalities, says HID's Bonnett. He notes that companies such as Omnikey have a dual-interface reader that can read both contact and contactless cards.
Despite growing capabilities, smartcards have not caught on in the United States as fast as in Europe. One of the groups that seem likely adopters - credit card issuers - have been slow to take the plunge. These companies are still not sold on smartcards, in large part because the cards are not deemed economical, says Joel Lisker, senior vice chairman of Dudinsky Lisker & Associates and former senior vice president of security and risk management for credit card giant MasterCard International.
A credit card can be produced (prior to personalisation) for about 26 cents (US), while microprocessor-chip cards can run between one and three (US) dollars apiece, says Lisker. "Fraud is running about six or seven basis points - in other words, six or seven one-hundredths of 1% - so it is hard to justify in a business case paying that kind of money when you are issuing 40 million cards," he says. "The cost of the solution outweighs the risk, and that has been the holdback" to wider use of these cards.
"That has always been a challenge on the financial services side," agrees Bryan Ichikawa, a smartcard expert and a solutions architect with Unisys. "The saying is that the fraud pain threshold that the smartcard would otherwise mitigate is not high enough to overcome the price of the card itself," he says.
Ichikawa also points out that a switch to smartcards, with or without biometrics, involves more expenses than just the new cards. "The cost is not just for the card but you have to have readers, so now you are talking about not only the issuing side but from the acquiring side. You have got all those merchant terminals that have to be retrofitted to handle smartcards," he says, "and that is a tremendously large expense."
Technological advances are also occurring in the biometric industry, whose fortunes are closely aligned with smartcards, because the latter is often the delivery mechanism for the former.
There are many biometric technologies, from obvious to obscure (these latter include systems that would analyse odour, gait or vein structure), but the most commonly implemented systems are fingerprints, iris scans, face recognition, and hand geometry. These technologies vary not only in terms of their accuracy but also in the types of applications and facilities for which they are best suited.
According to research from the International Biometric Group, fingerprint technologies have nearly half of the market share of biometric technologies (hand geometry and facial recognition are about equal with 11 and 12% of the market respectively, and iris represents 9%).
Particularly for government facilities, fingerprints tend to be the biometric of choice. They have always been among the most accurate of biometric options, and they are getting better and less expensive. "Over the last 24 months, the technology around the capacitor sensors [used in fingerprint readers] has improved dramatically, while prices have fallen", says Gary Bradt, vice president of the biometrics division of Silex America, which makes fingerprint readers.
Those improvements may help overcome the technology's shortcomings, such as a high failure-to-enrol rate. This is the number of people who for some reason are unable to reliably and repeatedly generate a good image; for example, a test by the Federal Aviation Administration in 2001 found that two out of 38 users - more than 5% - were unable to enrol because of the poor quality of their fingerprints, according to a report by the Government Accountability Organisation (GAO).
The accuracy of this type of biometric is enhanced greatly when more than one finger is used in a scan. A recent evaluation of competing fingerprint technologies by the National Institute of Standards and Technology (NIST) showed that a system from NEC had a true-accept rate of 98,6% when one finger was scanned; 99,6% when two fingers were considered; and higher than 99,9% when four, eight and 10 fingers were tested. On the other hand, the NIST report showed that accuracy drops as the age of subjects increases, particularly for subjects over 50 years of age.
One problem facing fingerprint systems, and other systems that require a user to put a finger or hand in a place where countless others have also put theirs, is hygiene. A report from the GAO on the use of technology to secure federal buildings noted, 'Certain groups of individuals resist using biometric devices because of hygiene issues.' This situation was particularly noticeable in some Asian countries at the height of the SARS epidemic, a concern that has declined as the disease has, says Teresa Wu, marketing specialist for biometric vendor Sagem Morpho.
Another issue has been a high failure-to-acquire rate, in which image quality is unacceptable. In particular, fingerprint scanning in environments where users may have dirty, greasy, or even nicotine-stained fingers can be prone to problems. One company, Ultra Scan, believes that it has found a way to overcome this issue with an ultrasonic fingerprint scanner.
"It works the same as ultrasound," explains John K. Schneider, president of the Amherst, NY-based company. "It can image through multiple mediums," including some types of latex gloves (such as those that may be worn in a hospital). Schneider demonstrated the system by drawing a large X across his fingertip with a Magic Marker and then scanning that finger. The fingerprint image was untainted by the marker.
Iris scans are the most accurate of the biometric technologies. A report by the UK's National Physical Laboratory (NPL) showed that iris scans had significantly fewer false accepts than other biometric technologies. This is one reason this type of biometric is often deployed in high-security areas.
In the past, iris scanning was seen as having some drawbacks. For example, participants needed to be very close to the scanning device, making it awkward and thus not appropriate for high-volume situations. That is beginning to change, according to Tarvinder Sembhi, product management and business development director of Iridian, a maker of iris-recognition technologies.
"Currently, the imagers that are available work anywhere from a couple of inches to about two feet away," Sembhi says. "There are people who are doing some R&D to have iris at a greater distance, but those are not in production, they are still in the research stage." Ed Schaffer, director, positive identification, access control solutions and homeland security with Unisys, says that one company he is familiar with has shown that it can scan irises from more than 10 feet away.
Iris scans are being tested by the government in the Transportation Worker Identity Card programme, which is simultaneously testing fingerprint technology. Iris scans are also in use at several airports as part of the Registered Traveler pilot programme.
In the private sector, iris-scan technology is being used to secure sites such as data centres and nuclear facilities that merit top security. It is also used as an internal layer of security for cash rooms, pharmacies, and patient ID systems in healthcare facilities, says Keith Kanestrin, Panasonic's marketing manager.
And in a few cases, such as in an environment where people work in protective suits with gloves and where faces are covered, iris may be the only alternative, says David B. Johnston, vice president of marketing, Iris Technology Division LG Electronics USA. Iris scans work through vision goggles and masks, he adds.
Sometimes the iris-scan technology is added as a second biometric, Bradt says. In other cases, it is not only to add another layer of security, but also because end users are re-evaluating earlier implementations.
"Right now every nuclear facility in the US is using some form of biometric," says Johnston. "But I believe they recognise the limits of the biometrics they may have bought years ago, which may not be doing what they need in a security environment that is radically changed."
The accuracy of iris scans comes at a price. "The cost difference between a proximity card and reader and an iris/smartcard and reader is significant," says Kanestrin. "An iris reader costs about $4000, while prox readers are about $100 per door," he says. As volume goes up, costs come down a little, he adds.
As for the future, Kanestrin says he expects processing power to be upgraded for faster searching of larger databases in 2005. In addition, he says, his company's systems currently scale to 5000 users. He expects that to double in the coming year.
Hand-geometry devices have frequently been implemented in areas where rejects would cause inconvenience. For example, it is being used at San Francisco Airport to verify employee identities at access points, while the Port of Rotterdam recently rolled out a project to verify truck drivers entering and exiting the port using hand geometry in conjunction with a smartcard. This type of biometric has a higher false-accept rate than fingerprints, but a lower false-reject rate, according to the NPL report.
Hand-geometry readers have some advantages over other technologies, including cost. A GAO report on biometrics notes that 'no personnel costs are incurred because most hand-geometry devices are typically unattended'. In addition, hand-geometry readers require little training for users. However, technologists from Northrop Grumman say that they are familiar with one large-scale implementation in which the hand-geometry readers were removed from a turnstile entrance and replaced by another technology within a few days, because users were having difficulties in putting their hands in the proper position, and thus lines for entry were becoming lengthy.
IR Recognition Systems says that it is currently working on the next generation of hand geometry, which it expects to offer in late 2005. "We are changing the algorithm and the way in which the camera views the hand," says Bill Spence, the company's director of marketing. The company's plans are ambitious. If expectations are met, Spence says, it will result in a tenfold decrease in the false-accept rate, an enormous improvement, though still far from the accuracy of an iris scan.
Face recognition has an important distinction: it is the only biometric that can be confirmed quickly and easily by a human, meaning that a guard can visually confirm the identity of someone who may have been falsely rejected. It is frequently used for surveillance measures, where users may not be aware that they are being scanned and their faces matched against a database.
While face recognition is less intrusive to users than other biometrics such as iris scans, it is also less accurate; the GAO report on biometrics points to attenuating factors such as camera performance, facial position, expression, and changed features (a beard or sunglasses, for example). The report notes that the technology is most effective 'when used in consistent lighting with cooperative subjects in a mug-shot-like position.'
Face-recognition technology did not stand up well against fingerprint scanning, according to a 2004 report (the most recent available, http://fpvte.nist.gov) of fingerprint systems by the National Institute of Standards and Technology, which concluded that "the most accurate fingerprint systems are more accurate than the most accurate facial recognition systems".
But the technology for recognising faces is improving, says Schaffer, who notes that companies are spending 'significant money' on replacing two-dimensional with three-dimensional face-recognition technology. The update will help overcome problems that arise from differences in lighting conditions between the enrollment and the query image, and the limited amount of information that can be derived from a 2D image.
For example, San Jose, California-based Geometrix recently introduced its FaceVision System. This system comprises two small cameras flanked by a set of lights. In a test, it took about six seconds to acquire an image to enrol. However, the image that was acquired could be rotated through many angles (this would allow, for example, a 3D image to be compared to a 2D image that was acquired from a ceiling-level surveillance camera).
The system is already in use at the Cobb County Adult Detention Center in Georgia, where it is used to identify prisoners entering and exiting the facility. Typical performance specifications show the system has a false acceptance rate below 0,1% and false rejection rate of less than 3%, says sales engineer Steve Macdonald.
Geometrix is also rolling out a handheld biometric computer that will allow police officers to use a PDA-size device to photograph a suspect in either 2D or 3D for facial recognition, take a fingerprint, scan an iris, and read a bar code. These data can then be sent wirelessly to police databases for rapid identification.
Though advances have been made in the various biometric technologies, the biometrics industry as a whole has been hampered by the number of different technologies that exist. "Interoperability is one of the foremost challenges for the biometric industry for stimulating growth to forward its emergence, especially in the private sector," says Kyoko Kaneda, a consultant with the International Biometric Group (IBG).
Concerns over trade secrets, such as the algorithms used to convert an image into a numerical template, have long been a significant obstacle to achieving interoperability.
"Each of those biometric images are stored on the card differently depending on the technology and the vendor, and there needs to be more of a uniform, standard way that allows that information to be retrieved and recorded accurately when there are multiple vendors involved", explains Randy Vanderhoof, executive director of the Smart Card Alliance.
The interoperability problem may be solved thanks to several standardisation efforts, including the BioAPI Consortium, a group of biometric vendors supported by NIST. The consortium is creating an open-system standard application programme interface (API) that will allow software applications to communicate with a range of biometric technologies. Kaneda says that the group "is working to standardise a lot of these systems so that multiple biometric solutions can be used across multiple platforms."
With the BioAPI Standard, "you can have a single template out there and be able to use that on multiple manufacturers' readers," says Bulkley. "I think that will drive acceptance of those technologies," Kaneda agrees, saying that the movement on an interoperability standard has influenced IBG's projection of the growth of the biometrics industry from just over $1 billion in 2004 to $4,6 billion by 2008.
Vanderhoof notes that the smartcard industry has long had an open standard, such as the 'Open Platform' developed by Visa that has evolved into Global Platform, an international organisation that maintains specifications for smartcards. There are also standards issued by the ISO and the federal government's Government Smart Card Interoperability Specification (GSC-IS).
"There has always been the need to have an open architecture so that multiple suppliers of cards and applications on those cards can be read interchangeably in different systems," says Vanderhoof. He hopes that his colleagues can provide a good example to their biometric brethren. "The smartcard industry can bring that level of experience to the biometrics industry, encouraging them to come up with similar open standards for storing the biometric data on the smartcard," he says.
Combining the technologies
Some see the combination of these two maturing technologies as inevitable. "Biometry has been around for a long time, and the same as with smartcards, it has always been purported to be the overnight success," says Indala's Mark Freundlich. "It has been a very long night," he quips, "but we do see daylight coming for both of these technologies, and they are really very complementary." He says that the most common marketplace trend is to store biometric data on the smartcard itself.
Keeping a user's biometric data on a card, and not pulling it off to match it against a database, adds security and helps protect the privacy of the cardholder. Take, for example, a recent pilot program in Texas for some 30 000 Medicaid members. In this program, in which Axalto participated along with several other vendors, the members were given a smartcard that contains a biometric identifier - in this case, a fingerprint, says Pattinson.
The number of participants, as well as privacy concerns, meant that creating an enormous database containing these members' biometric information would be unwieldy at best, and a potential source of litigation. Therefore, the pilot uses 'match-on' cards, where the matching function is done entirely within the card.
When a card and a cardholder's finger are presented to an electronic reader, a mathematically derived template (rather than an image) of the fingerprint stored on the card is compared on the card's processor with the template scanned by the reader. A match proves that the cardholder is indeed the person entitled to the Medicaid services.
"You do not have to have an online environment, and you do not have to have a big biometric database waiting in the wings when performing match-on-card", Pattinson says. "This is all done by the card and the terminal at the time of use."
A smartcard with embedded biometric data can help to bridge the nexus between physical and IT security by being used for logical as well as physical access. That would help to prevent or deter insider crimes, McKeon says. A problem that he sees often when IBM performs vulnerability assessments on clients is that it is too easy for an insider to get access to confidential customer information or other company data that the employee is not authorised to see.
He says that one way to prevent these crimes is to have a desktop reader that is used along with a biometric scanner. Plug the card into the reader and then, say, scan a finger, and a user can be authenticated and logged into the system. Several iris-scan providers, such as Panasonic and LG Electronics, also have computer-access applications.
"It is not good enough just to know who is walking in the front door and signing the guest book," McKeon says. "You need to be able to strongly authenticate who is getting on the system, who is performing transactions, and so on." This audit trail is also of value in meeting regulatory requirements.
New generations of smartcards with embedded biometric data can offer a convenience factor for users, because passwords can be loaded onto the card, meaning that a user no longer has to remember them. As a result, an administrator could use very long and complex passwords and change them regularly, all without any action on the part of the user. Cards can even hold digital-certificate data, thus eliminating a major weakness of PKI schemes - the danger of storing certificates on a computer where they are threatened by compromise.
McKeon says that businesses are seeing real cost savings from the trend toward smartcards and embedded biometrics because it dramatically decreases the amount of time that IT administrators spend resetting passwords forgotten by users.
Some financial services companies that have not yet moved to combination smartcards are beginning to make slow transitions to biometrics separate from the card in part to reduce password-resetting costs, says Schaffer. "One of the interim steps is to use a voice-recognition password-reset solution," he says. Rather than bothering the help desk, a user would call in and be connected to a computer and then would use a preregistered phrase to voice authenticate. If the voice is authenticated, the computer resets the password.
Government proving ground
Government-led efforts to embed biometric data into smartcards and then get those cards into the hands of government workers and contractors will be a big part of getting the public to accept and become comfortable with these technologies, says Bob Sawyer, president and chief technology officer of AMAG, a manufacturer of electronic access control systems.
Sawyer says that some estimates put the number of cards to be issued under a developing government-wide standard for secure forms of identification as high as 60 million. "When you start having that type of presence of card, and the fact that it is with government contractors, it will move into the commercial world more easily", he says.
But the commercial world is taking its own steps to popularise biometrics. At the same time that IBM announced its Secure Identity Management Solution late last year (for more on this, see below, 'Integrating biometrics and smartcards'), it demonstrated a new IBM ThinkPad laptop with a built-in fingerprint scanner. By sliding an index finger across the sensor embedded in the palm rest of the laptop, a user is immediately logged onto the computer; the system can be configured to allow this authentication process to replace the typing of passwords.
Other consumer products are being offered as well. Microsoft in November introduced its own line of fingerprint-reader products, including a wireless mouse and a wireless keyboard with embedded readers. Silex Technology has a lineup of fingerprint readers including some that plug into USB ports and others that reside in a PCMCIA slot; these latter feature a pop-out scanner. Sony has released a USB-token called Puppy that has a fingerprint scanner on it; it supports the use of digital signatures and does the matching on the token itself so that fingerprints are not sent to a PC. Kaneda says that the commercial sector's adoption of products like those mentioned above will help the public get used to biometrics.
Smartcards and biometrics will never reach their potential if the public at large has reservations about security of their personal data. Therefore, next to cost, privacy, not interoperability, is the biggest impediment to the success of biometrics, says Schaffer.
It seems almost counterintuitive to think of biometric technology as a way to enhance, rather than exploit, privacy, but that is the case, these experts contend. For example, as noted in the Texas Medicaid pilot program, users' biometric data are checked on the card, meaning that each user can prove his or her identity conclusively without that data ever leaving the smartcard. Gary Bradt adds that when mobile devices such as laptops are secured with a biometric, losing a portable no longer means losing sensitive documents or information.
"In the private sector you interact with these technologies in different ways, as a customer and consumer and presumably people will be willing to swap their fingerprint for the scores of user IDs and passwords they are forced to remember", Kaneda says.
Government initiatives and technological advances will continue to push businesses to increase their use of smartcards and biometrics. With strong drivers behind them, it may be time to say that the rumours about smartcards and biometrics were not exaggerated at all.
Integrating biometrics and smartcards
Late 2004, IBM Global Services announced that it was working with smartcard and biometric partners such as ActivCard, Bioscrypt, GE, and ImageWare on a Secure Identity Management Solution. This system is meant to help organisations roll out smartcards embedded with any of a variety of biometric technologies, as well as software solutions to easily provision identity credentials.
I was given the opportunity to be enrolled by the system. In less than five minutes, my fingerprints were scanned, a photo was taken, and a smartcard with all these data embedded was issued. A single software program made provisioning easy by using checklists to allow access to certain desktop applications and to various rooms, while other applications and areas remained off limits.
The card was both contact and contactless - which would enable the user to gain unhampered access to areas with both technologies. The contact technology was used at a computer terminal. The card was placed into a reader, and I was automatically logged onto the computer. Passwords were read and entered, and I was given access to the desktop. Pulling the card out of the reader automatically logged me off.
This type of integrated solution is becoming common, says Ed Schaffer, director, positive identification, access control solutions, and homeland security with Unisys. "I know all the big integrators are working on similar solutions, either internally or with team members to enable them to get into these big integration projects." Randy Vanderhoof, executive director of the Smart Card Alliance, says these integrators "are taking a lot of the mystery and complexity out of implementing these strong security technologies that incorporate smartcards. Automating and streamlining these processes represents a huge step forward", he says. "When an end user has to go it alone and secure cards and secure readers and secure applications like biometrics and physical access, then very often they are left to the rather complex job of trying to get all the pieces to work together."
Peter Piazza is associate editor for Security Management.
© Technews Publishing (Pty) Ltd | All Rights Reserved