Will Two-factor Be One World?
Ernie Berger is president, Gemalto North America. Formed in June 2006 by the combination of Axalto and Gemplus International S.A., Gemalto delivers secure platforms, services and personal devices to over a billion people worldwide.
Security Magazine: How are smart cards being used in the U.S. government?
Berger: The U.S. government is adopting digital security technology to protect the identities of its employees and the security of its buildings with Personal Identity Verification (PIV) II cards and the identities of U.S. travelers with e-passports. At the same time, the government is developing new initiatives that will either be built on, or are strong candidates for strong authentication technology. Some of these programs are the Transportation Worker Identification Credential (TWIC), the First Responder Authentication Card (FRAC) and the Registered Traveler program. Specific initiatives include:
- The DoD Common Access Card (CAC) was implemented in 2000 as a personal identity credential for U.S. military personnel. We have delivered the majority of the devices to DoD, providing 11 million cards to date.
- Secure devices for the TSA’s TWIC Phase III pilot program is used for port security.
- For the new electronic passports to the U.S. Department of State for U.S. citizens beginning in 2007, we have enabled more than 3 million e-passports worldwide with its secure chip-base technology.
- An HSPD-12 solution has been implemented to support the GSA Shared Services solution, which supports over 40 agencies.
- Both Texas and New Mexico have implemented electronic secure personal devices to replace the paper-based voucher system used in their Women, Infants and Children (WIC) programs. The smart cards store food benefits data; offer convenience and quicker reimbursement; and help eliminate fraud.
- Registered Traveler is a privately funded, TSA regulated program in which participants voluntarily undergo a background check in order to gain faster security screening at airports.
Berger: Global organizations are strengthening IT security using secure personal devices, such as smart cards, as a second authentication factor in addition to a password. We have issued more than 15 million digital security corporate badges to companies like Microsoft, Pfizer and Boeing.
Enterprises are becoming increasingly interested in a converged physical and IT access system that allows employees to securely enter facilities and access networks with one credential. Pfizer and Boeing are good examples of enterprises following this path in order to enhance security and convenience among its employees, contractors and business partners. Both companies chose smart badge identity management systems to allow smart card-based digital signatures, and to control employee access to facilities and networks worldwide. Now, more than 100,000 users at Pfizer and 200,000 users at Boeing use a badge to gain access to buildings and offices in facilities, as well as for securely logging onto corporate networks and applications.
Security Magazine: Why is there a need for two-factor authentication with tokens or smart cards? Why is it advantageous?
Berger: In addition to security breaches, no one can depend on simple passwords anymore. We are living in a digital world where everything of value – from money to identities – is represented as information communicated over networks. Therefore, it is critical to protect this information and these identities with additional factors for authentication – like secure personal devices such as smart cards or USB tokens.
Security Magazine: How do you view the evolution to one-time password, tokens and USB devices for more secure remote access?
Berger: The ability to access systems securely from remote locations is critical to any organization. The advantage of digital security-based systems is that they are built to work anywhere, including remotely. An organization can mix and match form factors any way they like – but only need one back-end implementation.
Security Magazine: What’s in the future for smart cards?
Berger: The need and requirement to protect sensitive information are going to continue to propel two-factor authentication in all sectors. At the same time, similarly to what we are seeing in government with the PIV card, more organizations are moving to converged physical and IT access systems using strong authentication technology.
On the commercial side, we are going to see more small and medium sized businesses adopting two-factor authentication solutions that were once the domain of large enterprises.
Now that digital security technology is being used in agency identity credentials and in passports, the government’s next big step is going to be incorporating this technology into driver’s licenses. The Real ID Act, signed into law in 2005, establishes national standards for state-issued driver’s licenses and non-driver’s identification cards. The act requires, among other things, high-end physical security features and a machine-readable technology on all state-issued licenses after May 2008.