One of the biggest challenges facing government agencies is the nationwide rollout. The problem is that to implement nationwide credentialing, agencies need enrollment centers across the country. Though an agency might employ fewer than 1,000 people nationwide, it must still keep regional centers open to manage the card system, which can be expensive.
A number of companies are trying to do that by establishing enrollment centers that multiple agencies can use. Each agency would pay a fee for each person issued a card.
No single vendor has established a working center yet, but the GSA expects a total of 225 enrollment stations across the country. These centers could also fuel private-sector interest once they are established.
Protection of data is another consideration. There are extensive security and privacy protections called for under the HSPD-12 system, based on hardware, software, and policy. Communications between the enrollment workstations and the identity management system must be secured. Enrollment data will be encrypted and protected in storage and in transit.
Multifactor authentication is also required to access the enrollment workstations and submit data from the enrollment application, ensuring that only trained, authorized individuals can submit data.
HSPD-12 calls for use of ID cards for physical and IT access. Agencies will have flexibility in migrating their legacy access control systems to the new smart cards. Agencies are trying to avoid the costly and time-consuming process of tearing out their existing card readers, panels, or entire systems and replacing them with newer technologies. To ease migration pains, these agencies have several options.
One option is to install readers that can handle current card technologies and smart cards. Another option is to deploy smart cards with multiple technologies. GSA intends to offer agencies the option of purchasing cards that contain a 125 kHz proximity coil in addition to contact and contactless smart card chips. These multitechnology cards would allow users to present the same credential to gain access at doors with either type of reader.
Concurrently, agencies must use the new smart cards for IT access control. Traditional user names and passwords are not very secure. While certain software systems can prevent users from selecting easily guessed passwords, any reusable password is vulnerable to attack—and to compromise when users write them down or use the same password across multiple systems to avoid having to memorize numerous passwords.
A smart card with multifactor authentication can enhance IT access controls. Password security represents single factor authentication through the use of something you know. Smart cards also support the use of a second or third type of authentication, something you have—the smart card—and something you are—biometrics stored on the card. Built-in encryption, along with tamper- and counterfeit-resistant card features, can offer a high level of user authentication.
Links between applications using smart cards offer additional benefits. For example, an agency can prevent someone from using a card to log on to an agency computer system unless that card was also used to physically access the building. Such card options are already on the market. Government’s dual use of smart cards for IT and physical access control is likely to increase the trend toward this convergence in private industry as well.
Most organizations manage a great deal of identity information for their employees, typically housed in multiple systems with little interconnectivity or synchronization. The growing focus on identity management acknowledges that a person’s identity is constant and can stay with an individual regardless of how access rights change over time. This is driving a shift to a more centralized identity management approach, where a person’s identity data is updated and maintained through a common model and shared with systems as needed.
Privacy. With the REAL ID Act’s national driver’s license, there remains concern that the data would not be secure either on the card or in the database repositories.
DHS recently published its notice of proposed rulemaking for driver’s license IDs. It calls for a great deal of personal data to be stored in bar code technology in REAL ID-compliant licenses. It does not require that the data be encrypted. A top concern is that the credential would allow various entities and technologies to read the data from the card. This is also a concern with RFID technology planned for use in the Western Hemisphere Travel Initiative.
HSPD-12 is vastly different. On the HSPD-12 card, the only piece of data that can be freely read from the contactless interface is the cardholder unique identifier, a number that isn’t tied to a Social Security number. Contactless smart cards also have a much shorter read range than other technologies, such as those being used in REAL ID and other programs.
The fingerprint biometric can only be read from the contact interface, requiring a person to physically insert the card in a reader. The person then places his or her hand onto another reader so that the live print and the stored print can be compared; the applicant must also enter a PIN.
Numerous agencies and privacy groups worked to design strong security and privacy controls into the HSPD-12 standards. In contrast, a great deal of work remains to be done to devise a secure way of sharing data for the REAL ID program without hindering the ability of law enforcement to access that information.
A well-founded concern about the REAL ID program is the lack of protections for information both when stored in the databases and during transfer between states.
To fully leverage the capabilities of smart cards in the future, it will be important for stakeholders to continue developing standards and working toward interoperability for smart-card systems.
Whether the private sector will embrace smart cards remains to be seen. The federal government clearly sees a benefit to the technology. Through its combined programs, the government is expected to issue 20 million smart card or chip-based credentials over the next two years. Industry no doubt will be watching how this government experiment unfolds.