Topics about PIV implementation and research.
PIV standardization has made it much easier to secure a domain with smart cards, requiring only a few configuration steps without any additional software. The goal of this article is to show the configuration steps so corporations can understand what it takes and even test PIV cards in their environment first hand.
Now that numerous enterprises have implemented corporate PIV cards (PIV-C) for multi-factor authentication needs, they want to get even more security from PIV by adding biometric components to their PIV cards. This blog will provide a guide for adding biometrics to an existing PIV-C issuance system as well guidance for implementing a biometric program in new environments
This blog will help you add a biometric capability to your enterprise. It describes:
- Benefits of Biometrics
- What you will need
- Implementation Steps
Benefits of Biometrics
Biometrics are mainstream. Not just because of the awareness of the new mobility platforms that leverage biometrics (iPhone, Droid, Surface Pro), but also because of a range of security and basic economic factors. Thanks to the spectacular biometric standardization work of NIST, biometric capture and usage processes and interfaces have been standardized so that biometric data is compatible across multiple vendor platforms. This interoperability allows the enterprise to hot swap different biometric devices depending on their business need. Another benefit of standardization is the increased competition in the marketplace which has normalized prices. In the last few years, the prices for biometric hardware has dropped dramatically. In the early 2010’s biometric capture devices cost over $10,000. Now they can be purchased for under $1,000 making biometric technology much more affordable and realistic for enterprises.
In terms of multi-factor authentication, biometrics add another factor. The security implications of this new factor are spectacular. Now to use a person’s credential, they must 1) physically possess the card, 2) know the PIN code, 3) present the fingerprint and/or Iris scan. Think about what this means in realistic terms. The attacker would have to steal the card, guess the card’s PIN, and then present the correct biometric to access a system protected by PIV Card authentication. Given these multiple layers of control, it is impossible for someone to successfully use some else’s PIV card for authentication. *Now I know it is possible for the two people to collude so a PIV card could surreptitiously be used by multiple people. But if all controls are in place, a tripled multi-factor authentication scheme is extremely secure.
With added security and trust, the enterprise can replace human based labor-intensive verification processes with secure, automated machine based transactions. Even in the PIV Card personalization process, if the user verifies their identity with a fingerprint, they can load their card without the need to be visually verified by a security or issuance operator. This means the user can load their card from their house, office or even kiosk at a time that convenient for them. No more wasted time in traffic just to encode their PIV card.
What you will need
Issuance Model Refinement
The credential issuance process will need to be updated to include the enrollment of biometric data. The great thing about PIV-C is the flexibility of where biometrics can be captured in the process.
Options for biometric collection
- Enrollment phase: Biometrics are acquired before the user has been adjudicated, usually during the photo or identity document capture phase. The advance of capturing the biometric data in this phase is the biometrics can be used in later credentialing phases in a manner to optimize the entire credentialing process. For example, a user can use their fingerprint to verify their identity so that they obtain their credential using a self-service kiosk.
- Credential pre-issuance: This has occurred after the enrollment phase, but right before the credential is encoded. The advantage of this model is biometric can be captured on demand just before the credential is loaded and given to the user.
- Credential post-issuance: Occurs after the credential has been issued and the user already has the credential in hand. The advantage of this model is it allows the enterprise to add biometric capabilities after the card has already been issued.
Biometric Capture Training
Another often overlooked element is training. The key to being able to use biometrics after they are enrolled is quality. Therefore, enrollment officials should undergo training to ensure they do everything possible to capture the best biometric sample. Training elements should include:
- Proper hardware cleaning: It is critical that the biometric capture device is cleaned after each use to ensure the highest quality of fingerprint be taken. The Suprema RS-D and G10 capture surface can be cleaned using basic sanitary wipe. *Note please check with your biometric manufacturer before performing any cleaning activities as some biometric hardware requires specialized cleaning materials. Therefore, the enrollment officer should be trained to clean the hardware device properly.
- Hardware and user positioning: Equally as important as device cleanliness is the positioning of the fingers or IRIS capture camera when the user’s biometrics are being acquired. The enrollment official should show the user how to best position their fingers during the capture phase. If using an IRIS capture camera, extra care should be taken to ensure the user’s eyes are aligned properly with the IRIS capture device.
- Software scoring feedback: Modern biometric enrollment systems provide a score quality after the biometric is acquired. The enrollment officer should be trained on the acceptable thresholds.
- Testing and validation: The biometric system should be set up to force the enrollment officer to test the biometrics that were captured. For example, after the biometric acquisition, the user then scans their biometric to be matched with the sample that was enrolled to simulate the verification process. If this testing fails, the enrollment officer should be trained to recapture the biometrics and perform the testing process again until the validation is successful.
- Fail to capture scenarios: Capturing usable biometrics from users is sometimes challenging or impossible. In these cases, the enrollment officer should be taught to recognize the cases where biometrics cannot be captured and instructed on how to properly document the reason why.
The elements are the hardware that physically acquires the biometric data from the user.
Biometric modality options
- Fingerprint: The Suprema RS-D two print capture device provides a fast and portable means to capture fingerprints. This hardware is very easy to maintain and offers built-in scoring and segmentation features to make the entire fingerprint capture process fast.
- IRIS: The ICAM TD100 IRIS capture device is lightweight and allows for extremely advanced acquisition of IRIS biometrics.
The enrollment software guides the operator through the biometric acquisition process. It works with the biometric hardware to capture, segment and score the biometric data. Once complete, it provides a way to securely transmit the biometric data to the Credential Management System (CMS) where it will be encoded onto the user’s credential.
Credential Management System (CMS)
The CMS is responsible for taking the biometric data and encoding it in the PIV Card. The biometric data acquired during the enrollment process will be sent to the card via the CMS.
PIV-Compliant Smart Card Credential
The PIV Card is the final data storage location for the biometric data. All PIV certified cards have a storage location for biometric data. The CMS will inject the biometric data into the card where it can be used later for verification.
2) Document the issuance model
Determine where in the process the biometric data will be acquired. From here, update the issuance flow processes, procedures, and training materials.
3) Perform enrollment officer training
Provide training courses for enrollment officers. Ensure each officer has been given the adequate knowledge for ensuring biometric data is captured in accordance with enterprise policies.
4) Install and configure the technologies
- Configure the CMS card policy to include biometrics
- Install the biometric hardware and enrollment suite
- Link the biometric platform to the CMS
- Configure the biometric enrollment policies
- Perform the biometric enrollment
- Encode the credential
Biometrics add a level of security that can truly help organizations withstand the latest cyber-attacks and even can add operational efficiencies when planned properly. If you have an existing PIV-C issuance platform or even starting from scratch, adding biometrics can be simple and is well worth the investment. If you have wanted to know more about how biometrics or even PIV-C can be implemented in your enterprise, go here. If you want to see a virtual demonstration, send us an email to firstname.lastname@example.org.
As the popularity of mobile credentials grows and more users adopt it within the organization, IT managers should consider an important usability aspect…certificate validation speed and availability. In this blog, we will discuss what it takes to ensure mobile device certification validation is fast and scalable to handle the ever growing needs of mobile based certificate validation.
This blog will help you learn how to build a fast and resilient credential validation infrastructure. It desribes:
- Basics of certificate validation
- Impacts of mobile device certificate validation
- Considerations for adding speed and resiliency
Basics of Certificate Validation
To understand ways to improve certificate speed, we need to understand the process of how certificate validation works. To ensure a certificate is valid and has not been revoked, the certificate is electronically checked against a file known as a Certificate Revocation List (CRL) each time it is used. This is very important but can be a timely process. This CRL contains all certificate information (in this case, the certificate information) that have been revoked. If the certificate information is on this list, then the certificate is deemed to be revoked and the certificate cannot be used.
To obtain the CRL information, the computer that is verifying the card performs what is known as a certificate validation process. During this process, the CRL is downloaded from the Certificate Authority (CA) and then the certificate is checked against the CRL file to determine whether the certificate is in good standing. If the certificate is in good standing, then the transaction can occur.
Drawbacks of CRL Validation
Although the CRL validation technique works to validate the card, it is very slow and is prone to a single point of failure. This is due to the size of the CRL and the fact that each computer must download a fresh copy of the CRL list.
In enterprise environments, this leads to very slow validation times and outages. When this occurs, the end users cannot use their certificate for authentication…which leads to the end user being locked out of their computer. This can quickly become a huge problem for the enterprise.
Impacts of Mobile Device Certificate Validation
The biggest impact has to do with the number of certificates that now must be validated by the enterprise. As we will see below, there are numerous factors that could drastically change the validation requests that occur in the enterprise during typical work day.
1 Person – many devices
Think of how many devices you own? I know personally, I have two laptops, one phone, and one tablet. Some people have two phones, two laptops and a tablet or two. Now, multiply the number of devices by the employees, partners and external users across the enterprise. That’s a lot of devices that will need be validated if a person wants to use their certificate on any of their devices. This drastic increase in validation transactions can bring a traditional validation architecture to a halt.
Each year, the mobile device vendors create a better phone, tablet or ultra cool laptop than the year before…encouraging the end user to upgrade their multiple devices. Because of this upgrade cycle, users are constantly getting new devices which require new certificates… which as you can imagine is doubling the amount of certificates that are being generated and revoked which causes your CRL to grow and grow which makes the validation slower and slower.
1 Certificate – multiple devices
With new certifiate synchoronization technologies, a user’s certificate on one device can be syncronized other devices. This occurs when a user wants to read an encrypted email on their laptop and smart phone. Although this makes it easier to check your secure email on any device you own, it also increases the validation workload because now the certificate is being used in multiple places.
Considerations for Adding Speed and Resiliency
To overcome the limitations of the CRL Validation technique, a technology known as Online Certificate Status Protocol (OCSP) was developed. With OCSP, the CRL list is replaced with a micro file, known as an OCSP response that only contains the information for one card. This greatly streamlines the PIV validation process for the computer and network since now only a very small file is downloaded and processed.
The OCSP architecture is significantly faster since each workstation only downloads the micro file (OCSP Response). Additionally, the enterprise is no longer vulnerable to a single point of failure since the OCSP technology can be distributed to different areas of the enterprise.
- Faster transactions- Using the micro file OCSP technology, certificates can be validated instantaneously whereas the CRL Validation technique could take minutes (or longer) and consume large amounts of network bandwidth.
- “Always there” validation-With CRL Validation, a single point of failure exists. For example, if the network is interrupted and CRL list cannot be downloaded, then all of the computers needing the list will fail to validate the PIV card. This could result in locking end users out of their computers for hours. With OCSP technology, the validation elements can be distributed throughout the environment so the computers have the ability to validate against different servers thus providing “always there” validation.
- Scalable- The distributed design of OCSP technology enables enterprises to finely tune and optimize their PIV validation capability. For example, as their PIV Card user base grows, they can add more OCSP processing power with additional OCSP servers.
Adding speed and resiliency has been made much easier thanks to the adoption of OCSP by many software vendors. For example, Apple and Microsoft now provide OCSP clients in their operating systems out of the box. Enterprises also now have easy to deploy options to immediately add OCSP power to their internal networks. For example, the HID ActivID Validation Authority implements OCSP and other fast validation protocols and is easy to install as a hardware device or as software.
It is clear that the NIST Derived Credential publications, industry support for Virtual Smart Cards and general need for strong MFA will continue to drive the need for PKI on mobile devices. Enterprises must be ready for this growth to ensure the validation architecture continues to be as robost and fast as possible.