How to Add Biometrics To Your Corporate PIV Card Issuance Process

Now that numerous enterprises have implemented corporate PIV cards (PIV-C) for multi-factor authentication needs, they want to get even more security from PIV by adding biometric components to their PIV cards. This blog will provide a guide for adding biometrics to an existing PIV-C issuance system as well guidance for implementing a biometric program in new environments

 

Agenda

This blog will help you add a biometric capability to your enterprise. It describes:

  1. Benefits of Biometrics
  2. What you will need
  3. Implementation Steps

Benefits of Biometrics

Biometrics are mainstream. Not just because of the awareness of the new mobility platforms that leverage biometrics (iPhone, Droid, Surface Pro), but also because of a range of security and basic economic factors. Thanks to the spectacular biometric standardization work of NIST, biometric capture and usage processes and interfaces have been standardized so that biometric data is compatible across multiple vendor platforms. This interoperability allows the enterprise to hot swap different biometric devices depending on their business need. Another benefit of standardization is the increased competition in the marketplace which has normalized prices. In the last few years, the prices for biometric hardware has dropped dramatically. In the early 2010’s biometric capture devices cost over $10,000. Now they can be purchased for under $1,000 making biometric technology much more affordable and realistic for enterprises.

Security

In terms of multi-factor authentication, biometrics add another factor. The security implications of this new factor are spectacular. Now to use a person’s credential, they must 1) physically possess the card, 2) know the PIN code, 3) present the fingerprint and/or Iris scan.  Think about what this means in realistic terms. The attacker would have to steal the card, guess the card’s PIN, and then present the correct biometric to access a system protected by PIV Card authentication. Given these multiple layers of control, it is impossible for someone to successfully use some else’s PIV card for authentication. *Now I know it is possible for the two people to collude so a PIV card could surreptitiously be used by multiple people. But if all controls are in place, a tripled multi-factor authentication scheme is extremely secure.

Operational Efficiencies

With added security and trust, the enterprise can replace human based labor-intensive verification processes with secure, automated machine based transactions. Even in the PIV Card personalization process, if the user verifies their identity with a fingerprint, they can load their card without the need to be visually verified by a security or issuance operator. This means the user can load their card from their house, office or even kiosk at a time that convenient for them. No more wasted time in traffic just to encode their PIV card.

What you will need

Updated Privacy Policy

A sometimes overlooked, but critical element is the enterprise privacy policy. The policy should clearly state what will be done with the biometrics, who can access, how long it will be stored, and how it is secured. NIST has published a guide for protecting personally identifiable information (PII) that can help you enhance your privacy policy for biometric data (https://www.nist.gov/publications/guide-protecting-personally-identifiable-information)

Issuance Model Refinement

The credential issuance process will need to be updated to include the enrollment of biometric data. The great thing about PIV-C is the flexibility of where biometrics can be captured in the process.

Options for biometric collection

  • Enrollment phase: Biometrics are acquired before the user has been adjudicated, usually during the photo or identity document capture phase. The advance of capturing the biometric data in this phase is the biometrics can be used in later credentialing phases in a manner to optimize the entire credentialing process. For example, a user can use their fingerprint to verify their identity so that they obtain their credential using a self-service kiosk.
  • Credential pre-issuance: This has occurred after the enrollment phase, but right before the credential is encoded. The advantage of this model is biometric can be captured on demand just before the credential is loaded and given to the user.
  • Credential post-issuance: Occurs after the credential has been issued and the user already has the credential in hand. The advantage of this model is it allows the enterprise to add biometric capabilities after the card has already been issued.

Biometric Capture Training

Another often overlooked element is training. The key to being able to use biometrics after they are enrolled is quality. Therefore, enrollment officials should undergo training to ensure they do everything possible to capture the best biometric sample. Training elements should include:

  • Proper hardware cleaning: It is critical that the biometric capture device is cleaned after each use to ensure the highest quality of fingerprint be taken. The Suprema RS-D and G10 capture surface can be cleaned using basic sanitary wipe. *Note please check with your biometric manufacturer before performing any cleaning activities as some biometric hardware requires specialized cleaning materials. Therefore, the enrollment officer should be trained to clean the hardware device properly.
  • Hardware and user positioning: Equally as important as device cleanliness is the positioning of the fingers or IRIS capture camera when the user’s biometrics are being acquired. The enrollment official should show the user how to best position their fingers during the capture phase. If using an IRIS capture camera, extra care should be taken to ensure the user’s eyes are aligned properly with the IRIS capture device.
  • Software scoring feedback: Modern biometric enrollment systems provide a score quality after the biometric is acquired. The enrollment officer should be trained on the acceptable thresholds.
  • Testing and validation: The biometric system should be set up to force the enrollment officer to test the biometrics that were captured. For example, after the biometric acquisition, the user then scans their biometric to be matched with the sample that was enrolled to simulate the verification process. If this testing fails, the enrollment officer should be trained to recapture the biometrics and perform the testing process again until the validation is successful.
  • Fail to capture scenarios: Capturing usable biometrics from users is sometimes challenging or impossible. In these cases, the enrollment officer should be taught to recognize the cases where biometrics cannot be captured and instructed on how to properly document the reason why.

Biometric Technologies

Biometric hardware

The elements are the hardware that physically acquires the biometric data from the user.

Biometric modality options

  1. Fingerprint: The Suprema RS-D two print capture device provides a fast and portable means to capture fingerprints. This hardware is very easy to maintain and offers built-in scoring and segmentation features to make the entire fingerprint capture process fast.

realscand-mainbanner.jpg

  1. IRIS: The ICAM TD100 IRIS capture device is lightweight and allows for extremely advanced acquisition of IRIS biometrics.

iCAM_TD100_main.jpg

IDMS/Enrollment software

The enrollment software guides the operator through the biometric acquisition process. It works with the biometric hardware to capture, segment and score the biometric data. Once complete, it provides a way to securely transmit the biometric data to the Credential Management System (CMS) where it will be encoded onto the user’s credential.

image-2.png

Credential Management System (CMS)

The CMS is responsible for taking the biometric data and encoding it in the PIV Card. The biometric data acquired during the enrollment process will be sent to the card via the CMS.

image-3.png

 

PIV-Compliant Smart Card Credential

The PIV Card is the final data storage location for the biometric data. All PIV certified cards have a storage location for biometric data. The CMS will inject the biometric data into the card where it can be used later for verification.

image-4.png

Implementation Steps

1) Publish the updated privacy policy

Ensure the latest of the privacy policy is published to a location where all people receiving a credential can access it.

2) Document the issuance model

Determine where in the process the biometric data will be acquired. From here, update the issuance flow processes, procedures, and training materials.

3) Perform enrollment officer training

Provide training courses for enrollment officers. Ensure each officer has been given the adequate knowledge for ensuring biometric data is captured in accordance with enterprise policies.

4) Install and configure the technologies

  1. Configure the CMS card policy to include biometrics
  2. Install the biometric hardware and enrollment suite
  3. Link the biometric platform to the CMS
  4. Configure the biometric enrollment policies
  5. Perform the biometric enrollment
  6. Encode the credential

Conclusion

Biometrics add a level of security that can truly help organizations withstand the latest cyber-attacks and even can add operational efficiencies when planned properly. If you have an existing PIV-C issuance platform or even starting from scratch, adding biometrics can be simple and is well worth the investment. If you have wanted to know more about how biometrics or even PIV-C can be implemented in your enterprise, go here. If you want to see a virtual demonstration, send us an email to sales@cyberarmed.com.

How To Add Virtual Smart Cards To Your PIV-C Issuance Process

Now that enterprises have become comfortable with cryptographically secured hardware provided by PIV-C, they are looking for ways to add convenience and agility to their mobile device landscape while maintaining the same level of security controls that the PIV card provides…but without the physical card or reader. In this blog, we describe how to create a Virtual Smart Card issuance capability with all the enterprise level management and usability features required for a scalable operation.

Agenda

This blog will help you learn how to issue Virtual Smart Cards for your enterprise workforce. It describes:

  1. What a Virtual Smart Card Is
  2. Security Benefits
  3. Architecture
  4. Implementation Steps

What is a Virtual Smart Card (VSC)?

A virtual smart card is stored in a secured chip known as a Trusted Platform Module (TPM). This TPM provides the same security features as a PIV smart card, but the chip is on the device’s motherboard, not embedded in an ID Card. From a convenience point of view, this design is spectacular because the user can achieve the same tamperproof security controls provided by a PIV Card even if their device lacks a smart card reader. With this approach, enterprises can easily extend cryptographic multi-factor authentication features to their mobile assets to complement their PIV Card issuance capabilities.

vscoverview.png

VSC Security Features

 

Conceptually, the VSC is similar to taking the chip from your PIV card and permanently storing it in your mobile device. While the VSC is different from your actual PIV card, it provides the same core security features that make the PIV card so effective. This matrix provides a side by side comparison of the two.

Hardware-based security (Non-exportability)

One of the best (if not the best) security features of the VSC is that the keys cannot ever be exported. The reason this is important is that if the device is ever stolen or is impacted by malware, the keys cannot be extracted and used by an unauthorized user. This provides extraordinary protection to ensure that the user’s keys can never be compromised if a hacker steals the device or clones the hard disk.

Anti-Hammering

Another benefit of using the hardware approach to storing keys is the way the hardware can protect itself against traditional brute force attacks. Using a process known as anti-hammering, the chip will be able to detect fraudulent access attempts and will lock itself using an advanced algorithm to make sure an attacker cannot gain access to the TPM, but it does not permanently lock out a valid user that accidentally entered the PIN incorrectly. This Microsoft link has a great technical explanation of the anti-hammering feature.

Multi-Factor Compatibility

The VSC provides immediate MFA security features out of the box with no additional hardware or software. For enterprises that have invested in cryptographic/PKI based authentication protocols, now their mobile devices can also utilize this trust fabric faster and easier.

Business Benefits

The cost and usability nature of VSC can enable enterprises to deploy hardware-based cryptographic tokens to their workforce at scale.

Convenient

While I do love traditional PIV Cards, I will be the first to admit that they can be challenging to use when I am on my mobile device. Like everyone else, when I am on the go, I just want to be able to use my PKI credentials immediately without anything getting in the way. With the VSC feature, I now always have secure access to my credentials to protect my data and logins. For enterprises, this convenience is critical as it allows IT to implement the highest cryptographic security controls without disrupting the productivity of their workforce.

Cost effective

Modern devices (even desktops) are being delivered with VSC capabilities built-in out of the box. There is no need to purchase separate hardware for credential storage. Additionally, the virtual smart card behaves like a traditional PIV card so there is no need to buy additional software to use its multi-factor authentication and data protection security features.

Consolidate

The VSC implements the most secure multi-factor authentication protocols as well as provides the basis for Windows Bitlocker data protection. Since these features are now built into the user’s device, the enterprise can eliminate other proprietary multi-factor authentication products and use the VSC exclusively.

What you will need

If you are like me, you are so excited about the security and usability features of VSC and want to get started immediately with implementation. However, before you jump right in, you will need to prepare your enterprise for some operational changes before full roll out. Additionally, you will want to think about an architecture that is scalable and ready to go for full operations so you do not waste time evaluating a solution that will need to be reworked to meet enterprise needs.

Updated Backup/Disaster Recovery Procedures

Due to the strength of TPM security controls, TPM technologies can have a dramatic impact on the way an organization manages the recovery of their IT assets. Once the TPM is turned on and configured, traditional data backup and IT management processes no longer work without also taking great care in backing up the TPM information. The reason is, the TPM implements hardware-based security that effectively makes the data unexportable to any other device without proper security controls. Personally, I love this feature because if I lose my laptop, someone cannot just take out the hard drive and copy it. However, it does mean enterprises must take great care in securely backing TPM information to effectively provide a secure recovery process for their workforce. Microsoft provides guidance here.

Updated subscriber agreement

The virtual smart card implements the same security features as the traditional PIV card…but without the PIV card and reader. Sometimes, the end user does not even realize they are using an advanced crypto device. However, they should still be informed of their PKI responsibilities to protect their keys. Therefore, do not forget to include the subscriber agreement in the VSC issuance process.

Scalable architecture

Most of the VSC implementation guidance available describes a simple architecture comprised of 1 laptop and a test certificate authority. While this guidance is spectacular for learning how VSC works and even for evaluation purposes, an enterprise must consider what it takes to issue and manage 1000s of VSC credentials. The reason for this is because once security managers and users start using VSC technology its use will only become more popular in the enterprise. The following are elements that must be factored into the architecture to ensure a successful transition into full operations:

  • Initialization – how will the VSC be initialized and managed
  • Post issuance – how do you update, suspend or terminate a certificate
  • Credential Linkage – given users typically have multiple credentials, how can the VSC be linked to a user’s current credential list
  • Certificate Trust – How will the certificates be used and trusted

Technologies Required

In the guidance below, we will be issuing virtual smart cards using a high speed, scalable architecture that can support PIV-C and PIV-I derived credentials. Note, this architecture is for enterprises ready for full VSC deployment. If your enterprise is still in the early phases of research, I recommend this great Microsoft tutorial to get started.

TPM Chip

The great thing is that Microsoft is requiring TPM technology to part of the hardware stack for Windows 10. For an enterprise, this means you will already have the TPM in your infrastructure without additional costs.

image-5.png

VSC Management Platform

The management platform will provide centralized management for all of the VSC credentials issued within the enterprise. This platform will also enable administrators to easily manage the certificates at an enterprise level. The HID CMS product provides the features for enterprise VSC management along with advanced APIs for linking issuance and post issuance activities to automate the management of VSC credentials.

Certificate Authority

The CA will provide the certificate services for the VSC. In this example, we are using a cloud-based, managed certificate authority from IdenTrust. IdenTrust provides an entire spectrum of certificate options and has the core industry certifications that can allow for immediate scale and trust for immediate scale and trust for PIV-I and Direct Trusted Agent.

VSC Issuance Software

The issuance software walks the user step by step through the process of encoding their VSC and drastically streamlines the traditional virtual smart card issuance process and automates manual steps for initializing the VSC. Additionally, the issuance software provides the necessary authentication services to ensure the user has permissions to encode their VSC.

 

Implementation Steps

1) Configure CMS to issue Virtual Smart Cards

In the CMS Customization/Devices console, check the option for Virtual Smart Cards.

cms.vsc.png

2) Connect the CMS to the Certificate Authority

Add a New Certificate Authority

image-6.png

 

3) Create the device policy

Now that the CMS has been configured for VSC and for the certificate authority, the next step is to configure the device policy. The device policy is what allows the enterprise to issue VSCs at scale as this feature allows the admin to set the PIN protection and certificate details at a global level.

4) Encode the VSC

prepare.vsc.png

 

image-7.png

 

Conclusion

Virtual Smart Cards give enterprises another extremely useful way to equip their workforce with strong authentication and data protection tools. Similar to the PIV Card, the VSC can provide unparalleled security to withstand the latest cyber threats. If you have more questions about the architecture or want to see a demonstration, please send us an email to sales@cyberarmed.com.