Identity Verification and Biometrics Loom Large
Security has become all the more important at the user level. Verifying the validity of an individual’s access to a network is vital to preventing cybermarauders from getting into a system to purloin or sabotage important information. Biometrics can play a key role in identity management, particularly in cross-enterprise implementations.
Approaches to identity management are maturing in both government and the private sector globally. Whether for physical or logical access, public key infrastructure (PKI) and biometrics are surfacing as common denominators to add strength and flexibility to the authentication processes. The difficulty remains a lack of consensus on processes, application of standards, and management of attributes across enterprise boundaries. For example, in the United States, federal standards are clear but often applied differently among federal agencies—and certainly at the state, local and tribal levels and within the private sector. Similarly, in Europe, the European Union (EU)/European Council have adopted standards, but implementation varies from country to country, even within the EU or NATO frameworks.
Federated approaches to identity verification and attribute identification are helping to bridge enterprises. Agreements on the acceptance of PKI certifying authorities, biometrics as a strong element of authentication, and acceptance—in a federated environment—of credentials from multiple approved sources all are facilitating the establishment of trust relationships across enterprises.
Relying parties—the authorities that determine access or transaction execution based on identity and attribute input—increasingly are taking a “bring your own credentials” (BYOC) approach. Federation allows this approach as long as the relying parties insist on the use of standards-compliant credentials only. This approach also allows relying parties to determine for themselves the level of assurance required for a particular level of access or type of transaction. Many credentials now include PKI certifications for electronic signature and encryption and registration of biometrics for strong authentication. Personal identification numbers (PINs) usually are established as well and can be used alone for transactions of lesser importance or in conjunction with PKI or biometrics for stronger authentication.
A flexible and federated identity verification system such as this requires clear governance to provide guidance to policy makers, credential providers and relying parties—the decision makers. A good example is U.S. Department of Defense Instruction 8520.03, Identity Authentication for Information Systems, dated May 13, 2011 (www.dtic.mil/whs/directives/corres/pdf/852003p.pdf), which provides guidance on identity verification for logical access to Defense Department and partner networks and systems. This instruction states that acceptable credentials may be provided by the federal government or by approved nongovernment providers.
For Defense Department personnel, the Common Access Card (CAC) is the standard credential. For industry and other Defense Department partners, an approved commercial credential must be obtained. In addition, the instruction prescribes sensitivity levels for both classified and unclassified access tied to the level of proofing—background checks and/or security clearances—held by the individual. Credential strengths are also specified, depending on whether the credential is software-based or hardware token-based; whether a PKI certificate is provided and the type and source of the PKI certificate if provided; and whether Defense Department chief information officer approval is provided for the specific strength of the credential.
The use of biometrics to enhance the strength of authentication is not specified, but high-strength credentials usually have registered biometrics that can be used by the relying parties to strengthen authentication for specific access or transactions if desired. Anyone who does business with the Defense Department on a regular basis should review Instruction 8520.03 to understand fully the department’s use of credentials.
Using biometrics to enhance the strength of credential authentication certainly is not new. In Europe, the United Kingdom has been using the Iris System for some time to expedite entry to the kingdom. After registering an iris scan to a passport, travelers can use a separate, faster line to present their passports electronically, followed by an iris scan to verify their identity, and gain access to the border based on a previous background check. Similarly, the Global Entry system in the United States allows incoming travelers expedited access based on the electronic presentation of a passport reinforced by a registered biometric. Again, such access is based on a background check that is done at the time of registration in the program.
Credentials are becoming more common in a variety of domains for both physical and logical access. The use of PKI and/or biometrics to strengthen authentication is gaining traction. AFCEA enabled the use of standards-compliant credentials on its portal this month, and the association plans to allow use of compliant credentials at AFCEA events in the near future.
On September 18-20, 201 AFCEA, the National Institute of Standards and Technology and the National Security Agency will present the 2012 Biometric Consortium Conference and Technology Expo at the Convention Center in Tampa, Florida. This year, for the first time, AFCEA will host a track focused on identity management. If you want to know more about this increasingly important area of identity management and authentication, I recommend you attend this event.