Overview

Recent events have heightened interest in implementing more secure identification (ID) systems to improve confidence in verifying the identity of individuals seeking access to physical or virtual locations. ID systems must be secure, provide fast and effective verification of an individual's identity, and protect the privacy of the individual's identity information.

The familiar ID badge carried by employees or other authorized personnel to identify themselves when they are on an enterprise's property is the first level of secure identification. Some ID badges carry a company logo and a badge number, which is linked to employee records. Others are personalized with the cardholder's name for the added security of linking a name with a recognized face. Even more security is added when the cardholder's picture is included. These common badge types rely on visual authentication for security and may be sufficient in enterprises with a relatively small number of employees and low security risk.

What these ID badges lack is machine-readable technology that provides electronic verification and real-time authentication of the badge credential that the cardholder presents. Machine-readable ID technology supplements the visual verification of the badge appearance and cardholder information with encoded identity details that are, to varying degrees depending on the technology used, more difficult to duplicate or alter.

Smart card technology is increasingly being adopted by commercial and government enterprises for ID systems that must support fast, secure identity verification. A smart card-based system delivers a proven, cost-effective solution that accurately verifies cardholder identity, while also meeting the individual's and enterprise's need for protecting personal information. Password theft and unprotected PIN-based controls are the top security threats to internal information networks. Coupled with a secure, privacy-sensitive information technology (IT) architecture and policy framework, a smart card-based secure ID system can provide accurate identification and protect the individual's information.

This article describes policy and technology issues that need to be considered in implementing a secure ID system. The different ID technologies that are available are compared, and the role that smart cards can play in implementing trusted personal credentials is presented.

Employee Identification Applications

Individuals are required currently to confirm their identity for many purposes. A heightened interest in physical security, coupled with increasing requirements to provide secure network access, has led many government agencies and businesses to implement new solutions that can improve the security of identification systems. Solution requirements may include providing secure identification for physical access, for logical access (e.g., for secure sign-on to networks) and for authenticated application, data or service access within a system.

Virtually every government and company employee carries some form of identification. Many employers are now improving their systems to expand functionality from simple physical identification to identification for a broad range of applications including: physical and logical access; submission of claims for medical or other employee benefits; control and management of corporate assets; and replacement of paper-based processes with online forms. Examples of smart card-based employee ID initiatives follow.

The U.S. Department of Defense (DoD) has initiated a program to issue up to 4 million smart card-based "Common Access Cards" to military and civilian employees and contractors. DoD employees will use these cards to digitally sign and encrypt documents and to have secure access to buildings and networks. 

The U.S. Department of State is in the process of implementing a new automated access control system for employees and visitors using a smart ID card. 

Royal Dutch/Shell Group has announced the issuance of over 85,000 smart cards to employees worldwide to provide secure physical and network access, as well as corporate ID, on one card. 

Microsoft Corporation recently announced that they have issued 25,000 smart ID cards to employees in Redmond, WA as part of an overall program to increase network security.

Policy and Secure Personal Identification Systems

Card management policies and processes need to be designed and implemented to support secure ID applications. A card issuance process must accurately verify the identity of the recipient at the beginning of the process. Individual identity information must be acquired and securely stored. Once cards are issued, identity information must be securely maintained and synchronized among applications and with new updated information. The governance and management of the secure ID card system must take into account privacy issues and the infrastructure cost of the system deployment.

Smart card-based identification solutions are able to meet the requirements of a wide range of policy and legal mandates. Smart cards are a powerful tool for improving the security of any identification system and protecting information about cardholders. A smart card-based ID system can support a machine-assisted identification process, limiting the potential bias or judgment errors in identifying people. Coupled with a secure, privacy-sensitive IT architecture, a smart card-based ID system can provide accurate identification, protect the cardholder's personal information, and address the policy and legal requirements that are currently being debated.

Card Technology Alternatives

A number of commercially available technologies can be considered for identification system designs.

Plastic cards. Simple plastic cards with printed visual identification information (e.g., individual name, photo) are used in applications where information is visually verified when the card is presented for identification.

Bar codes. Linear or two-dimensional bar codes can store information, with data translated into a bar code and embedded on the plastic card during the printing process.

Magnetic stripe cards. Magnetic stripes have been used on cards since the 1970s for a wide range of applications. Identification information is written to the magnetic media during the personalization process.

Smart cards. A smart card includes an embedded chip that can be either a microcontroller with internal memory or a memory-only chip. The card connects to a reader with direct physical contact or with a remote contactless electromagnetic interface. With an embedded microprocessor, smart cards have the unique ability to store large amounts of data, carry out their own on-card functions (e.g., encryption and digital signatures) and interact intelligently with a smart card reader. Smart cards are used worldwide in financial, telecommunications, transit, healthcare, secure identification and other applications.

The use of biometric technology is widely believed to be essential in a secure ID system design. Biometrics can be used with the card technologies discussed above (e.g., smart cards), where a biometric template is stored on the card and then verified with the received biometric at the point of interaction. By securely recording and then checking an individual's unique biometric information (e.g., fingerprints, hand geometry, retinal or iris patterns, facial patterns or voiceprints), the system can more accurately validate the individual's identity. The verification process may be done by a smart card, by a biometric-specific reader, or by a central system.

Key Questions When Evaluating Card Technology Choices

When evaluating alternative secure ID card technologies, several key questions should be considered.

Figure 2: Biometric Template Size Source: Frost & Sullivan Biometric # of Bytes Required Finger-scan 300-1200 Finger geometry 14 Hand geometry 9 Iris recognition 512 Voice verification 1500 Face recognition 500-1000 Signature verification 500-1000 Retina recognition 96 

1. How much information needs to be stored on the ID card?

A typical secure ID card may need ten to twenty kilobytes of data, including text information (name, ID number), compressed photo image, biometrics, and security functions. Figure 2 shows the memory required for a variety of biometric templates. Smart cards have sufficient memory to hold data, applications and the card operating system.

2. What level of security is required to implement the desired risk management profile?

An ID card and ID card system must be secure - i.e., resistant to fraud, ID theft, and counterfeiting. A secure ID card must be sufficiently difficult to produce, be protected by security design features so that it is extremely difficult to counterfeit, and be able to invalidate itself when tampered with. Card security functions must include features to prevent unauthorized access to and use of any card data, for example, using encryption to enhance the card's basic security level. A microcontroller-based smart card has the unique ability to use active security methods that require on-card computations or interactions with the reader and can, therefore, provide a higher degree of security and privacy than other technologies.

3. How will card readers be used in the identification process? What are projected transaction volumes and required transaction speeds?

To read card information, cards can be swiped (magnetic stripe), scanned (bar code), sensed (contactless smart card) or inserted into a reader (read/write magnetic stripe, or smart card). Smart card and read-only magnetic stripe readers have relatively low costs (<$20) when purchased in volume and are robust for high volume applications. The overall transaction time will include the card reading/writing time and the time required for any biometric check. In high volume applications, the ability to have the reader interact with the ID card without making direct physical contact (e.g., with a contactless smart card) may be critical to achieving the desired throughput.

Figure 3 summarizes important features of card and card reader technologies that are typically considered when making a technology selection.

Figure 3:  Comparison of Alternative ID Technologies

While the discussion above focuses on a secure identification card that would use only one of the technologies described, cards can be manufactured with a combination of technologies. For example, the DoD Common Access Card mentioned earlier is a combination magnetic stripe, bar code, photo ID and smart card. By including multiple technologies, the DoD was able to use the card with existing legacy systems, simplifying the migration process.

The Role of Smart Cards in Secure Personal ID Systems

Widely acknowledged as the most secure and reliable form of electronic identification, a smart card can act as the individual's secure identification card and allow access to information and services in both online and offline system designs. With the ability to store, protect and modify information written to the card's microchip, smart card technology offers unmatched flexibility and options for information sharing and transfer, while providing the unique ability to incorporate privacy-sensitive features. The smart card's dynamic ability to communicate with information systems speeds traditionally lengthy identification processes, while streamlining operations and reducing costs. This section summarizes some of the unique features that smart cards bring to a secure ID system design.

Information Storage Capacity. While the memory capacity of the traditional magnetic stripe plastic card is quite limited, the memory capacity of a smart card is significant and can vary based on application. Today's smart card offers enough memory to store a compressed photo image, biometrics, digital certificates and public/private keys, as well as typical demographic alphanumeric files.

Read and Write Capability. Smart card technology protects information, but also allows updates in the field as long as the credentials of the requestor authorize the update.

Multiple Applications. A smart card can host multiple applications to provide additional convenience and a more cost-effective implementation. For example, the same smart card can be used to enter a secure facility, access protected web sites, and secure online transactions.

Contactless Capability. Contactless smart cards are particularly attractive for secure physical access, where the ID credential and reader must work in harsh operating conditions, with a high volume of use or with a high degree of user convenience.

Conclusion

Smart card-based identification cards offer significant benefits for individuals, businesses and governments. Individuals using smart identification cards enjoy greater satisfaction through faster and more secure access to information and services. The efficiency, consolidation of programs and security features provided through the use of smart identification cards enable governments and businesses to securely improve services, while reducing operating costs. And, through privacy-sensitive system designs, information can be protected from misuse.

Smart card-based ID solutions are able to meet the requirements of a wide range of policy and legal mandates and provide the technical solution for secure identification. The Smart Card Alliance urges businesses and government officials to familiarize themselves with the enhanced functionality, operational and security advantages that smart card-based IDs can provide to aid in the worldwide effort to improve identification processes and reduce identity fraud.

For more information about smart cards and the role that they play in secure ID and other applications, please visit the Smart Card Alliance web site at www.smartcardalliance.org or contact rvanderhoof@smartcardalliance.org

About the author

Randy Vanderhoof is the Executive Director of the Smart Card Alliance. The Smart Card Alliance is a not-for-profit, multi-industry association of over 100 member firms working to accelerate the widespread acceptance of smart card technology in North America. He is also a past Executive Board Member for the Alliance from 1998 - 2001.

Prior to joining the Smart Card Alliance, he was Senior Project Manager and Solutions Sales Manager for IBM Global Smart Card Solutions; an international product group supporting IBM's smart card services to its global banking, healthcare, and government industry vertical teams. He has also held the position of VP Business Development with First Access, Inc. a developer of contactless smart card technology for network access security and authentication. Prior to First Access, he worked at Schlumberger as Market Segment Manager, Campus Solutions, supporting the development and marketing of smart card-based identification and payment systems.

Randy is a graduate of Saint Joseph's University in Philadelphia, PA. He received his MBA from Rider University in Lawrenceville, NJ. Randy is married with three children and resides in Mercerville, NJ.

[Click Banner To Learn More]

[Home Page]  [The Automator]  [About]  [Subscribe ]  [Contact Us]