colorid campus identity summit emerging ......nfc – near field communication •secure element...

© 2018 -- IDENTITY ROADMAP -- ColorID, LLC

COLORID CAMPUS IDENTITY SUMMITEMERGING IDENTITY SOLUTIONS

Danny SmithExecutive Vice President, ColorID

Todd BrooksDirector - Product Management, ColorID

Tim NyblomDirector – Education Group, ColorID

Larry LummeAccount Manager – Education Group, ColorID

Mark DeganDirector – Corporate Marketing, ColorID

AGENDA

Mobile Identification

Biometrics

Cloud/Web Based Card Issuance

Identity Management


MOBILE IDENTIFICATION

Smart phones for POS, PACS, and Logical Access


WHERE IS IDENTIFICATION HEADED?

MOBILE IDENTIFICATION


MOBILE TOPICS

Technologies

Available Solutions

Mobile Short Comings

Current Use Cases

Considerations for Deployment


WHY CONSIDER MOBILE IDENTIFICATION

Leverages devices students already have

Convenient for students – always have mobile available

Potentially Decrease Card Office Costs

Cool Factor

Can be very secure – Two Factor


PHONESSmall Computers with many interfaces

• Cellular •WiFi• NFC • Bluetooth• USB• GPS


MOBILE TECHNOLOGIESNFC – Near Field Communication

•Secure Element (hardware, often the SIM) communicates through Radio Frequency (NFC) antenna in phone, to reader•Uses existing reader infrastructure•Host Card Emulation ‐ NFC data communicates with mobile device operating system rather than Secure Element•Apple opening the door on NFC use with iOS 12?

BLE – Bluetooth Low Energy (aka Bluetooth Smart)

•Available on most current handset models•AES‐128 encrypted data•Likely Requires reader upgrades

Barcodes

•2‐Dimensional Barcodes Generated on Mobile Screen•One‐Time User Barcode•Barcode reader at POS locations

Geo‐Location

•Uses phone location as validation for service•No Readers Required

Software

•Direct Communication with Backend Systems


PHONE BIOMETRICS

Added Security through 2‐Factor Authentication

Samsung •Fingerprint •Iris Recognition

iPhone•Touch ID (Fingerprint)•Facial Recognition


MOBILE PAYMENTSMOBILE PAYMENT TECHNOLOGIES

Apple Pay Android Pay

Samsung Pay Paywave

MasterPass


CONSUMER ADOPTION

“This year, proximity mobile payment transactions will grow 183.3% to $27.67 billion. That figure will more than double next year to reach $62.49 billion. By 2020, proximity mobile payment

transactions are expected to equal $314.13 billion.”

“Proximity mobile payment users in the US skew young, with 11.9 million in the 25‐to‐34 age group in 2016—31.1% of the

total”


CONSUMER PAYMENTS WITH PHONE

Know that mobile is complicated

Direct effects•Wherever you take non‐program payments

Indirect effects•Which technology will your system providers integrate?• Your users want all this stuff now

How do mobile consumer payments apply to my campus card program?


MOBILE SOLUTIONSExamples of Mobile Solutions on the Market,

Many different solutions available


HID MOBILE ACCESSPowered by SEOS

NFC or BLE technology ‐ Long range capabilities and device flexibility

Provisioned through web portal or software integration ‐email

Secured with SIO

Requires iClass SE readers

Requires additional BLE Module in SE readers

5427CK USB Reader available for POS, Print/Copy, Etc.

Pricing Models:

•Current: Per credential fee, non‐persistent, Lost or Upgraded Phone requires a new credential

•Future: Per User Monthly Fee•Visitors: Small fee for temporary usage (time expiring)


HID READER MANAGER

Reader Manager App

•Allows retrofit of iClass SE Readers•Upgrade Reader Firmware OTA•Manage Mobile Keys•Configure Reader Characteristics• Simplify Reader Upgrades & Reduce Costs


ALLEGION APTIQ MOBILE

aptiQ Mobile

• NFC communication• Requires sleeves for non‐Android devices• Provisioned through web portal or access control software integration –email

• Minimal adoption due to NFC limitations• iOS 12 implications?


CARD SYSTEM SOLUTIONS

Blackboard

•NFC at door and POS readers

Campus Systems –Cbord, Atrium, etc.• Use software to connect cardholder, phone and system – GPS, Barcode, type‐in code


CREDENTIAL ISSUANCE• Web portal for access to users – HID example


DETAILED USER LIST


USER DETAIL – CURRENT MOBILE CREDENTIALS


MOBILE SHORTCOMINGS

Lack of visual identification

Sense of belonging with ID card

Legacy Mag and Barcode Systems

21© 2018 -- IDENTITY ROADMAP -- ColorID, LLC

MOBILE SHORTCOMINGSStability across

Handset Platforms

Apple Use of NFC

Upgrade Costs can be High


CURRENT MOBILE USE CASES

Physical Access – with Reader

MfgPoint‐of‐Sale Supplemental

Credential

Revenue Generation –

Additional Fees


USE CASE – LOGICAL ACCESS

Smartphone Apps

Provisioned OTA

Push Notifications (OTP)

Popular due to convenience


CONSIDERATIONS WITH MOBILE ID

In many cases, mobile credentials can be more expensive than a traditional card

Current hardware decisions MUST be made with mobile in mind

Work with Partners who are familiar with these technologies and can provide complete solutions


BIOMETRICS

Who Are You?


Forensics (CSI)•Identify a Criminal•FBI Database ‐ IAFIS

PHYSICAL ACCESS•Opening and Closing Doors

Logical Access•Computer access and digital documents

MOBILE ID CONFIRMATION•DoD ABIS Program•FBI IAFIS Database•Travel / border security

MAINSTREAM / CONVENIENCE APPLICATIONS•Mobile Payments•Point of Sale

HISTORY: APPLICATIONS


HOLLYWOOD – BIOMETRIC STIGMA

© 2017, ColorID, LLC

BIOMETRICSMeasuring different parts or behaviors• Body part is presented to the sensor• Sensor captures an image• Image is converted to a template

– Template is a number • Template is matched

0101010101010111010111000011100110101101010100011100011010101000101010101010101111010100011101010101010000111111100010100011100101010100001100001110101000111010

BIOMETRIC IMAGEBIOMETRIC TEMPLATE

ONE-WAY HASH

ALGORITHM

1111111111111111111100000000000000000000111111111111111111110000000000000000000010101010101010101010111111111111111111111111111111111111111100000000000000000000

ENCRYPTED TEMPLATE

ENCRYPT VIA PKI / AES /

Other


BIOMETRIC SYSTEM TERMINOLOGY

1:1 matching

“One to one”

Template from sensor is compared to one template from database•Requires use of card, PIN, other identifier

12345

1:1 Matching

12345

AUTHENTICATION


BIOMETRIC SYSTEM TERMINOLOGY

12345678901234

72354892531008

82345581234567

92345675812346

82345581234567

1:Many Matching

1:N matching

“One to many”

Template from sensor is compared to all templates in

database

Can be used with or without additional

identifier

IDENTIFICATION


BIOMETRIC MATCHING• Template matching is always based on a probability

– Every transaction is a little different• Systems must balance False Acceptance (FAR)against False

Rejection (FRR)• Quality and type of sensor significantly affects system performance

FALSE REJECTIONFALSE ACCEPTANCE


SYSTEM INTERFACE

•Standard wiring and communication between Physical Access Control Systems (PACS) and readersWiegand Interface

•Emulates a Keyboard•Same as Magstripe and Contactless readers for POSUSB Keystrokes

•RS232 or RS485Serial

Communication

•Web Services•ODBCAPI

Biometric System sends card number to PACS, POS, or other software.

1234567890123456


SENSORS AND ALGORITHMS


BIOMETRIC MODALITIES

Fingerprint•Most Familiar•Early Systems didn’t work well•New Sensors –Multispectral, Light Emitting Film•Smart Phone adoption•1/10,000 FAR Normal

Hand Geometry•Most Prevalent Biometric System –1985•Small amount of data – 9 bytes•1:1 Mode typically required•Time & Attendance, Physical Access

Vein Pattern•Infrared scanners –blood absorbs light•Not really non‐contact•1:N up to ~4,000•ATMs, Healthcare (Patient ID)

Facial Recognition•Emerging Technology•Surveillance (Involuntary)•Border Control•Current sensors/algorithms good 1:N for ~1000 users, new systems with greater potential


IRIS RECOGNITIONCircular structure in

the eye “Eye color”

Photo of eye No contact with device required

At least 250 unique points

10X more than

fingerprint

Proven to be the fastest form of biometric for

matching

1:N Matching of 100,000 Records in <1

second© 2018 -- IDENTITY ROADMAP -- ColorID, LLC

IRIS ACCURACY

Uniqueness = Accuracy

The probability of two persons with the same iris

pattern is 1 in 1078

Twins have same DNA but different

iris patterns

Right and left eye are totally different

Flakes falling on Earth in one year = 10 23

Estimated probability of two like irises = 1 in 10 78


IRIS: STABLE AND RELIABLESmallest outlier population

Stable for life (after 1 yr old)

One time lasting enrollment

Fastest authentication

Lowest FAR(false accept ratio –0.0000008%) and lowest FRR(false reject ratio)

Boundary of Upper Eyelid

Boundary of the sclera (limbus)

Boundary of Lower Eyelid

Boundary of Pupil


IRIS SYSTEMSIris on the Move

Iris at a DistanceOutdoor iris

Mobile –Windows Phone,

Samsung 8


IRIS CONCERNSOften confused with retinal scan

Retinal scanners are invasive – no longer used

Expensive compared to cards ??

Generated templates are proprietary to each system

Images follow ISO standards

Camera requires installation


CERN - HADRON COLLIDER – RETINA?


CONTINUOUS AUTHENTICATION• Speech patterns, used by banks, other applicationsVoice

• Logical authenticationKeystroke Dynamics

•WearablesHeart Rhythm

•Eye movement and blinkingIris Patterns


CAMPUS USE CASES


USE CASE: ATHLETIC FACILITIES

Convenient for Athletes (No Card to carry)

Higher Security

Iris – Non‐contact (Dirty Hands, Gloves)


USE CASE: DINING

Can be very fast

Secure (1,2, or 3 factor)

Fraud Prevention (Unlimited Meal Plans)

Students can eat when cards are lost

Works like any other card reader

Example Schools:

University of Georgia

(HandKey ‐> Iris)

Boston University (Fingerprint on

iClass)

Georgia Southern University (Iris)

Virginia Commonwealth University (Iris)

George Mason University (Iris)


CAMPUS USE CASES


GEORGIA SOUTHERN UNIVERSITYNearly 4 million transactions via Iris into dining halls


USE CASE: MEDICAL CENTERS

Government Funding for

IrisThree Factor Authentication often Required

Example Schools

University of Colorado‐Denver

University of Texas

Colorado State

University

George Washington University

Irradiator Rooms / Cabinets

Cadaver Labs Pharmaceutical Cabinets / Safes

Medical Research


USE CASE – IT / DATACENTERS

High security Card + Iris

Used by:•Apple – iCloud •Google•The Clearinghouse•Citigroup

Finger –Individual Cabinets


USE CASE: RECREATION CENTERS

•Don’t have to carry cardsConvenient

• Sweat / GermsNon‐Contact

•Card SharingPrevents Fraud

Interface with Turnstiles


USE CASE: CHILD CARE CENTERS

Modalities Iris Finger Vein Pattern

Secure access to child care facility

Easy way to insure safety of children

Schools Winthrop University

Goddard School Iris


USE CASE – RESIDENCE HALLS

Iris Perimeter doors

Fingerprint + Card

Less expensive than iris

Weatherproof


USE CASE – LOGICAL ACCESS

Fingerprint, Face (1:1), Iris

Future: Continuous Authentication

Multi‐Factor Authentication

Store on Smart Card

•Target, Home Depot, OPM•“Unnamed” UniversitiesBreaches

FIDO Alliance (Mobile Devices)


BIOMETRICS AND PRIVACYPOPULAR CONCERNSIf my biometric is

stolen, I can’t replace my body part

Credit card comparison

Identity theft –like a permanent

PIN

I don’t want the government to have

my biometric

Related to opposition to

Real ID, national ID

Desire for anonymity

Cultural differences

Voluntary vs. involuntary

Known to subject – US‐VISIT

Unknown to subject –

surveillance cameras


BIOMETRICS AND PRIVACY - RESPONSESAmericans are getting used to less privacy

Smart phone revolution

We give up privacy to get apps

Social Media

Importance of good

algorithms

Responsibility of government and industry to provide secure biometric implementations

Store template on card or token only

Less convenient ‐slower

Don’t store images Templates Only

Encrypt biometric data in transit and at rest

IT security best practices

Images cannot be reverse engineered from good templates

Algorithms Proprietary to Sensor Manufacturer

Custom Encryption Keys

Prevents stolen template being injected

Layered security design


SELECTION - BALANCING ACT

CONVENIENCE SECURITY

• Biometric Sensor Selection– Security vs. Convenience

• Security– US Embassies

• Convenience and Acceptance are not priorities

• Convenience– Dining Application

• Although it adds security, not always the driving factor

• Acceptance– What’s in it for me?– Must be easy to use and

provide a benefit• Newer systems provide

balance

ACCEPTANCE


CLOUD BASED CARD ISSUANCE

A Paradigm Shift for Card Printing


CURRENT MODEL

Current ID Production

•Printers connected to individual workstations

•On‐Premise Card System Database

•Remote & Onsite Support


THE FUTURE OF STUDENT ID ISSUANCE

Consumablesauto replenishmentCard designer

Mobile ID

Card Services

Card printing & Overflow

Local printing

1 2 n

Support

Card System


CARD ISSUANCECloud Card Printing

• Eliminate the printer PC, enroll cardholders with devices via web interface

•Manage from anywhere• Eliminate software install and maintenance

•Utilize all available resources by auto print queueing

1 2 n


MIT – BEFORE


APPLE STORE MODEL


MIT - AFTER


GENERATE MOBILE PHOTO IDSMobile Photo ID

•Officially a Student•Added convenience•Seamlessly issue and renew•Gain flexibility with future compatibility – Mobile Access

•Potential revenue stream


REMOTE PRINTER SUPPORT

Reduce Service Calls

Technicians can monitor printers from remote locations

Direct access to tech support, apply firmware to entire fleet

Minimize downtime, increase operational efficiency


IDENTITY MANAGEMENT

Physical Identity and Access Management


CHALLENGES MANAGING IDENTITIES


PIAM Physical identity and

access management Manage identities

among multiple PACS, Transaction, and other systems

Automate key processes Ensure each identity has

the right access, to the right areas, for the right length of time


Isolated islands of information being brought together saves time and improves understanding for different stakeholder groups

Sharing and centralizing data is the first step to determining risks

Having one repository improves efficiency

Having one repository means simpler analysis

01010100011010001001011110100010001000100010011010101011110101010001101000100101111010001000100

01010100011010001001011110100010001000100010011010101011110101010001101000100101111010001000100

HR Systems

IT Systems

Access Control

Biometrics Third‐Party Systems

Key & Asset Management

CONNECTING SILOS OF INFORMATION


PIAM FOR AUTOMATED SECURITY WORKFLOWS TO REDUCE COST

Disenroll/Terminate/Check‐out

Enroll/Hire/Pre‐register/Contract

Reports Operational/Predictive

Access Audit and Compliance

Authorize/Vetting

Issuance of Access Card, Mobile Token, or Badge

Provision

Check‐In Kiosks• can include issuance of

temp badge

Contractors

Students StaffVisitors

Vendors


PIAM SIMPLIFIES THE BADGING PROCESS

Badge Designer Assign badge type based on the identity attributes Badge Privileges

Training, documentation and Security Checks can be added as a prerequisite for certain badge types

Request and Assign Temp Badge to Students Photo Upload and Approval Workflow

Student requests new badge Approver

Approver notified

Student notifiedbadge printed

Approves requestSelf-Service

Portal

Badging Officer

Existing Card is updated or Security prints.

Workflow is documented for Audit

and Compliance

Prints the badge


UNIVERSITY DATA EXAMPLE


SIS Data Vault

PACS-1

Transaction System

PACS-2

ID Production Database

Card Issuance Software

ScheduledBatch Files

ScheduledBatch Files

• Often Multiple Days for Student Service Availability

• Sometimes Manual Processes Involved

PIAM SOLUTION


PACS-1 PACS-N TransactionManagement Rec Center Parking

SIS or IAM

PIAMIncludes card production, photo upload, self

service

HID SAFE UNIVERSITY DEPLOYMENT Background and Business DriversBackground and Business Drivers

• Private University based in the U.S.• 11,000 identities across multiple disparate systems• Identities requiring physical access to campus facilities, classrooms, and secure areas within them, as well as dormitories• Loosely connected systems dependent upon manual steps to process, record, and audit

RequirementsRequirements• Centralized badge issuance for faculty, staff, and students• Provide a single, centralized physical identity and access management platform• Integrate disparate systems (C‐Cure, Toll Tags/parking, CSGold, Access, Aramark, T2• Parking)• Seamless process for on‐boarding and badging• Increased visibility and reportingBenefits RealizedBenefits Realized• Multi‐card to a single card per person• Operational Cost Reduction

• Eliminated duplicate work effort across multiple systems• Reduced manual processes and data entry• Reduced errors• One online centralized web portal

• Centralized security administration and operational flexibility• Enforced access rules while allowing department level flexibility


Advanced analytical risk profiles (BIG DATA) combining physical and logical activity

Prevent security threats in advance (normal patterns) Maximize productivity of people, facilities, processes Continuous risk assessment

PREDICTIVE ANALYTICS


THANK YOU


colorid campus identity summit emerging ......nfc – near field communication •secure element...

Documents