colorid campus identity summit emerging ......nfc – near field communication •secure element...
TRANSCRIPT
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
COLORID CAMPUS IDENTITY SUMMITEMERGING IDENTITY SOLUTIONS
Danny SmithExecutive Vice President, ColorID
Todd BrooksDirector - Product Management, ColorID
Tim NyblomDirector – Education Group, ColorID
Larry LummeAccount Manager – Education Group, ColorID
Mark DeganDirector – Corporate Marketing, ColorID
AGENDA
Mobile Identification
Biometrics
Cloud/Web Based Card Issuance
Identity Management
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
MOBILE IDENTIFICATION
Smart phones for POS, PACS, and Logical Access
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
WHERE IS IDENTIFICATION HEADED?
MOBILE IDENTIFICATION
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
MOBILE TOPICS
Technologies
Available Solutions
Mobile Short Comings
Current Use Cases
Considerations for Deployment
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
WHY CONSIDER MOBILE IDENTIFICATION
Leverages devices students already have
Convenient for students – always have mobile available
Potentially Decrease Card Office Costs
Cool Factor
Can be very secure – Two Factor
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
PHONESSmall Computers with many interfaces
• Cellular •WiFi• NFC • Bluetooth• USB• GPS
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
MOBILE TECHNOLOGIESNFC – Near Field Communication
•Secure Element (hardware, often the SIM) communicates through Radio Frequency (NFC) antenna in phone, to reader•Uses existing reader infrastructure•Host Card Emulation ‐ NFC data communicates with mobile device operating system rather than Secure Element•Apple opening the door on NFC use with iOS 12?
BLE – Bluetooth Low Energy (aka Bluetooth Smart)
•Available on most current handset models•AES‐128 encrypted data•Likely Requires reader upgrades
Barcodes
•2‐Dimensional Barcodes Generated on Mobile Screen•One‐Time User Barcode•Barcode reader at POS locations
Geo‐Location
•Uses phone location as validation for service•No Readers Required
Software
•Direct Communication with Backend Systems
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
PHONE BIOMETRICS
Added Security through 2‐Factor Authentication
Samsung •Fingerprint •Iris Recognition
iPhone•Touch ID (Fingerprint)•Facial Recognition
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
MOBILE PAYMENTSMOBILE PAYMENT TECHNOLOGIES
Apple Pay Android Pay
Samsung Pay Paywave
MasterPass
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
CONSUMER ADOPTION
“This year, proximity mobile payment transactions will grow 183.3% to $27.67 billion. That figure will more than double next year to reach $62.49 billion. By 2020, proximity mobile payment
transactions are expected to equal $314.13 billion.”
“Proximity mobile payment users in the US skew young, with 11.9 million in the 25‐to‐34 age group in 2016—31.1% of the
total”
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
CONSUMER PAYMENTS WITH PHONE
Know that mobile is complicated
Direct effects•Wherever you take non‐program payments
Indirect effects•Which technology will your system providers integrate?• Your users want all this stuff now
How do mobile consumer payments apply to my campus card program?
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
MOBILE SOLUTIONSExamples of Mobile Solutions on the Market,
Many different solutions available
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
HID MOBILE ACCESSPowered by SEOS
NFC or BLE technology ‐ Long range capabilities and device flexibility
Provisioned through web portal or software integration ‐email
Secured with SIO
Requires iClass SE readers
Requires additional BLE Module in SE readers
5427CK USB Reader available for POS, Print/Copy, Etc.
Pricing Models:
•Current: Per credential fee, non‐persistent, Lost or Upgraded Phone requires a new credential
•Future: Per User Monthly Fee•Visitors: Small fee for temporary usage (time expiring)
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
HID READER MANAGER
Reader Manager App
•Allows retrofit of iClass SE Readers•Upgrade Reader Firmware OTA•Manage Mobile Keys•Configure Reader Characteristics• Simplify Reader Upgrades & Reduce Costs
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
ALLEGION APTIQ MOBILE
aptiQ Mobile
• NFC communication• Requires sleeves for non‐Android devices• Provisioned through web portal or access control software integration –email
• Minimal adoption due to NFC limitations• iOS 12 implications?
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
CARD SYSTEM SOLUTIONS
Blackboard
•NFC at door and POS readers
Campus Systems –Cbord, Atrium, etc.• Use software to connect cardholder, phone and system – GPS, Barcode, type‐in code
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
CREDENTIAL ISSUANCE• Web portal for access to users – HID example
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
DETAILED USER LIST
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
USER DETAIL – CURRENT MOBILE CREDENTIALS
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
MOBILE SHORTCOMINGS
Lack of visual identification
Sense of belonging with ID card
Legacy Mag and Barcode Systems
21© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
MOBILE SHORTCOMINGSStability across
Handset Platforms
Apple Use of NFC
Upgrade Costs can be High
22© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
CURRENT MOBILE USE CASES
Physical Access – with Reader
MfgPoint‐of‐Sale Supplemental
Credential
Revenue Generation –
Additional Fees
23© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
USE CASE – LOGICAL ACCESS
Smartphone Apps
Provisioned OTA
Push Notifications (OTP)
Popular due to convenience
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
CONSIDERATIONS WITH MOBILE ID
In many cases, mobile credentials can be more expensive than a traditional card
Current hardware decisions MUST be made with mobile in mind
Work with Partners who are familiar with these technologies and can provide complete solutions
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
BIOMETRICS
Who Are You?
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
Forensics (CSI)•Identify a Criminal•FBI Database ‐ IAFIS
PHYSICAL ACCESS•Opening and Closing Doors
Logical Access•Computer access and digital documents
MOBILE ID CONFIRMATION•DoD ABIS Program•FBI IAFIS Database•Travel / border security
MAINSTREAM / CONVENIENCE APPLICATIONS•Mobile Payments•Point of Sale
HISTORY: APPLICATIONS
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
HOLLYWOOD – BIOMETRIC STIGMA
© 2017, ColorID, LLC
BIOMETRICSMeasuring different parts or behaviors• Body part is presented to the sensor• Sensor captures an image• Image is converted to a template
– Template is a number • Template is matched
0101010101010111010111000011100110101101010100011100011010101000101010101010101111010100011101010101010000111111100010100011100101010100001100001110101000111010
BIOMETRIC IMAGEBIOMETRIC TEMPLATE
ONE-WAY HASH
ALGORITHM
1111111111111111111100000000000000000000111111111111111111110000000000000000000010101010101010101010111111111111111111111111111111111111111100000000000000000000
ENCRYPTED TEMPLATE
ENCRYPT VIA PKI / AES /
Other
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
BIOMETRIC SYSTEM TERMINOLOGY
1:1 matching
“One to one”
Template from sensor is compared to one template from database•Requires use of card, PIN, other identifier
12345
1:1 Matching
12345
AUTHENTICATION
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
BIOMETRIC SYSTEM TERMINOLOGY
12345678901234
72354892531008
82345581234567
92345675812346
82345581234567
1:Many Matching
1:N matching
“One to many”
Template from sensor is compared to all templates in
database
Can be used with or without additional
identifier
IDENTIFICATION
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
BIOMETRIC MATCHING• Template matching is always based on a probability
– Every transaction is a little different• Systems must balance False Acceptance (FAR)against False
Rejection (FRR)• Quality and type of sensor significantly affects system performance
FALSE REJECTIONFALSE ACCEPTANCE
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
SYSTEM INTERFACE
•Standard wiring and communication between Physical Access Control Systems (PACS) and readersWiegand Interface
•Emulates a Keyboard•Same as Magstripe and Contactless readers for POSUSB Keystrokes
•RS232 or RS485Serial
Communication
•Web Services•ODBCAPI
Biometric System sends card number to PACS, POS, or other software.
1234567890123456
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
SENSORS AND ALGORITHMS
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
BIOMETRIC MODALITIES
Fingerprint•Most Familiar•Early Systems didn’t work well•New Sensors –Multispectral, Light Emitting Film•Smart Phone adoption•1/10,000 FAR Normal
Hand Geometry•Most Prevalent Biometric System –1985•Small amount of data – 9 bytes•1:1 Mode typically required•Time & Attendance, Physical Access
Vein Pattern•Infrared scanners –blood absorbs light•Not really non‐contact•1:N up to ~4,000•ATMs, Healthcare (Patient ID)
Facial Recognition•Emerging Technology•Surveillance (Involuntary)•Border Control•Current sensors/algorithms good 1:N for ~1000 users, new systems with greater potential
35© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
IRIS RECOGNITIONCircular structure in
the eye “Eye color”
Photo of eye No contact with device required
At least 250 unique points
10X more than
fingerprint
Proven to be the fastest form of biometric for
matching
1:N Matching of 100,000 Records in <1
second© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
IRIS ACCURACY
Uniqueness = Accuracy
The probability of two persons with the same iris
pattern is 1 in 1078
Twins have same DNA but different
iris patterns
Right and left eye are totally different
Flakes falling on Earth in one year = 10 23
Estimated probability of two like irises = 1 in 10 78
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
IRIS: STABLE AND RELIABLESmallest outlier population
Stable for life (after 1 yr old)
One time lasting enrollment
Fastest authentication
Lowest FAR(false accept ratio –0.0000008%) and lowest FRR(false reject ratio)
Boundary of Upper Eyelid
Boundary of the sclera (limbus)
Boundary of Lower Eyelid
Boundary of Pupil
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
IRIS SYSTEMSIris on the Move
Iris at a DistanceOutdoor iris
Mobile –Windows Phone,
Samsung 8
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
IRIS CONCERNSOften confused with retinal scan
Retinal scanners are invasive – no longer used
Expensive compared to cards ??
Generated templates are proprietary to each system
Images follow ISO standards
Camera requires installation
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
CERN - HADRON COLLIDER – RETINA?
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
CONTINUOUS AUTHENTICATION• Speech patterns, used by banks, other applicationsVoice
• Logical authenticationKeystroke Dynamics
•WearablesHeart Rhythm
•Eye movement and blinkingIris Patterns
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
CAMPUS USE CASES
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
USE CASE: ATHLETIC FACILITIES
Convenient for Athletes (No Card to carry)
Higher Security
Iris – Non‐contact (Dirty Hands, Gloves)
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
USE CASE: DINING
Can be very fast
Secure (1,2, or 3 factor)
Fraud Prevention (Unlimited Meal Plans)
Students can eat when cards are lost
Works like any other card reader
Example Schools:
University of Georgia
(HandKey ‐> Iris)
Boston University (Fingerprint on
iClass)
Georgia Southern University (Iris)
Virginia Commonwealth University (Iris)
George Mason University (Iris)
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
CAMPUS USE CASES
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
CAMPUS USE CASES
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
GEORGIA SOUTHERN UNIVERSITYNearly 4 million transactions via Iris into dining halls
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
USE CASE: MEDICAL CENTERS
Government Funding for
IrisThree Factor Authentication often Required
Example Schools
University of Colorado‐Denver
University of Texas
Colorado State
University
George Washington University
Irradiator Rooms / Cabinets
Cadaver Labs Pharmaceutical Cabinets / Safes
Medical Research
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
USE CASE – IT / DATACENTERS
High security Card + Iris
Used by:•Apple – iCloud •Google•The Clearinghouse•Citigroup
Finger –Individual Cabinets
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
USE CASE: RECREATION CENTERS
•Don’t have to carry cardsConvenient
• Sweat / GermsNon‐Contact
•Card SharingPrevents Fraud
Interface with Turnstiles
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
USE CASE: CHILD CARE CENTERS
Modalities Iris Finger Vein Pattern
Secure access to child care facility
Easy way to insure safety of children
Schools Winthrop University
Goddard School Iris
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
USE CASE – RESIDENCE HALLS
Iris Perimeter doors
Fingerprint + Card
Less expensive than iris
Weatherproof
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
USE CASE – LOGICAL ACCESS
Fingerprint, Face (1:1), Iris
Future: Continuous Authentication
Multi‐Factor Authentication
Store on Smart Card
•Target, Home Depot, OPM•“Unnamed” UniversitiesBreaches
FIDO Alliance (Mobile Devices)
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
BIOMETRICS AND PRIVACYPOPULAR CONCERNSIf my biometric is
stolen, I can’t replace my body part
Credit card comparison
Identity theft –like a permanent
PIN
I don’t want the government to have
my biometric
Related to opposition to
Real ID, national ID
Desire for anonymity
Cultural differences
Voluntary vs. involuntary
Known to subject – US‐VISIT
Unknown to subject –
surveillance cameras
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
BIOMETRICS AND PRIVACY - RESPONSESAmericans are getting used to less privacy
Smart phone revolution
We give up privacy to get apps
Social Media
Importance of good
algorithms
Responsibility of government and industry to provide secure biometric implementations
Store template on card or token only
Less convenient ‐slower
Don’t store images Templates Only
Encrypt biometric data in transit and at rest
IT security best practices
Images cannot be reverse engineered from good templates
Algorithms Proprietary to Sensor Manufacturer
Custom Encryption Keys
Prevents stolen template being injected
Layered security design
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
SELECTION - BALANCING ACT
CONVENIENCE SECURITY
• Biometric Sensor Selection– Security vs. Convenience
• Security– US Embassies
• Convenience and Acceptance are not priorities
• Convenience– Dining Application
• Although it adds security, not always the driving factor
• Acceptance– What’s in it for me?– Must be easy to use and
provide a benefit• Newer systems provide
balance
ACCEPTANCE
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
CLOUD BASED CARD ISSUANCE
A Paradigm Shift for Card Printing
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
CURRENT MODEL
Current ID Production
•Printers connected to individual workstations
•On‐Premise Card System Database
•Remote & Onsite Support
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
THE FUTURE OF STUDENT ID ISSUANCE
Consumablesauto replenishmentCard designer
Mobile ID
Card Services
Card printing & Overflow
Local printing
1 2 n
Support
Card System
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
CARD ISSUANCECloud Card Printing
• Eliminate the printer PC, enroll cardholders with devices via web interface
•Manage from anywhere• Eliminate software install and maintenance
•Utilize all available resources by auto print queueing
1 2 n
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
BANK TELLER MODEL
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC 62
MIT – BEFORE
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC 63
APPLE STORE MODEL
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC 64
MIT - AFTER
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC 65
GENERATE MOBILE PHOTO IDSMobile Photo ID
•Officially a Student•Added convenience•Seamlessly issue and renew•Gain flexibility with future compatibility – Mobile Access
•Potential revenue stream
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
REMOTE PRINTER SUPPORT
Reduce Service Calls
Technicians can monitor printers from remote locations
Direct access to tech support, apply firmware to entire fleet
Minimize downtime, increase operational efficiency
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
IDENTITY MANAGEMENT
Physical Identity and Access Management
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
CHALLENGES MANAGING IDENTITIES
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
PIAM Physical identity and
access management Manage identities
among multiple PACS, Transaction, and other systems
Automate key processes Ensure each identity has
the right access, to the right areas, for the right length of time
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC 70
Isolated islands of information being brought together saves time and improves understanding for different stakeholder groups
Sharing and centralizing data is the first step to determining risks
Having one repository improves efficiency
Having one repository means simpler analysis
01010100011010001001011110100010001000100010011010101011110101010001101000100101111010001000100
01010100011010001001011110100010001000100010011010101011110101010001101000100101111010001000100
HR Systems
IT Systems
Access Control
Biometrics Third‐Party Systems
Key & Asset Management
CONNECTING SILOS OF INFORMATION
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
PIAM FOR AUTOMATED SECURITY WORKFLOWS TO REDUCE COST
Disenroll/Terminate/Check‐out
Enroll/Hire/Pre‐register/Contract
Reports Operational/Predictive
Access Audit and Compliance
Authorize/Vetting
Issuance of Access Card, Mobile Token, or Badge
Provision
Check‐In Kiosks• can include issuance of
temp badge
Contractors
Students StaffVisitors
Vendors
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
PIAM SIMPLIFIES THE BADGING PROCESS
Badge Designer Assign badge type based on the identity attributes Badge Privileges
Training, documentation and Security Checks can be added as a prerequisite for certain badge types
Request and Assign Temp Badge to Students Photo Upload and Approval Workflow
Student requests new badge Approver
Approver notified
Student notifiedbadge printed
Approves requestSelf-Service
Portal
Badging Officer
Existing Card is updated or Security prints.
Workflow is documented for Audit
and Compliance
Prints the badge
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
UNIVERSITY DATA EXAMPLE
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC 76
SIS Data Vault
PACS-1
Transaction System
PACS-2
ID Production Database
Card Issuance Software
ScheduledBatch Files
ScheduledBatch Files
• Often Multiple Days for Student Service Availability
• Sometimes Manual Processes Involved
PIAM SOLUTION
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC 77
PACS-1 PACS-N TransactionManagement Rec Center Parking
SIS or IAM
PIAMIncludes card production, photo upload, self
service
HID SAFE UNIVERSITY DEPLOYMENT Background and Business DriversBackground and Business Drivers
• Private University based in the U.S.• 11,000 identities across multiple disparate systems• Identities requiring physical access to campus facilities, classrooms, and secure areas within them, as well as dormitories• Loosely connected systems dependent upon manual steps to process, record, and audit
RequirementsRequirements• Centralized badge issuance for faculty, staff, and students• Provide a single, centralized physical identity and access management platform• Integrate disparate systems (C‐Cure, Toll Tags/parking, CSGold, Access, Aramark, T2• Parking)• Seamless process for on‐boarding and badging• Increased visibility and reportingBenefits RealizedBenefits Realized• Multi‐card to a single card per person• Operational Cost Reduction
• Eliminated duplicate work effort across multiple systems• Reduced manual processes and data entry• Reduced errors• One online centralized web portal
• Centralized security administration and operational flexibility• Enforced access rules while allowing department level flexibility
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC
Advanced analytical risk profiles (BIG DATA) combining physical and logical activity
Prevent security threats in advance (normal patterns) Maximize productivity of people, facilities, processes Continuous risk assessment
PREDICTIVE ANALYTICS
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC 79
THANK YOU
© 2018 -- IDENTITY ROADMAP -- ColorID, LLC