Despite advances in biometric access control, it will take a culture shift to kill the smart card, says Steve Howard, principal at Endeavor Blue LLC. “People are used to seeing the physical badge when you’re walking around,” he explains. “It’s so ingrained in people that it isn’t going away anytime soon and nothing can replace that.”
Our recent Security Report shows that the market for Access Control products accounted for 24% of the global security market, totalling approx. $6.84Bn in 2016. Access Control has maintained its growth of around 10% this year as it further penetrates the IP Network business and moves into biometric, identity management and wireless locking systems. So for how long will smart cards hang on to their position as the leading access control technology?
Back in June of this year, Terry Halvorsen, CIO of the Defense Department, proclaimed that the standard access card, which federal employees use to gain access to both physical buildings and computer networks, will be replaced within two years. This statement, especially the timescales, raised both eyebrows and questions at the conference where Halvorsen was speaking.
He claimed smart cards would be supplanted by an “agile, multi-factor authentication system.” Halvorsen alluded to “some combination of behavioral, probably biometric and maybe some personal data information that’s set from individual to individual.” And suggested the smart card may only retain some physical access control applications.
“As the U.S. Federal Government considers moving beyond Common Access Cards and Personal Identity Verification cards to embrace biometrics and behavioral biometrics, one can expect to see a focus on standards around two-factor authentication that enable the government to leverage innovation in the private sector, while maintaining adequate security,” Todd Thiemann, VP of Marketing at Nok Nok Labs, told Secure ID News.
“There will need to be baseline requirements for hardware devices to provide some root of trust to secure cryptographic material, as well as biometric data on the device, such as a Trusted Execution Environment (TEE) or Secure Element (SE). It also means not only providing secure operating environments for sensitive authentication operations, but also the ability to prove the veracity of that operating environment to a remote system,” Thiemann continued.
A number of experts have dismissed Halvorsen’s comments as overly ambitious and premature considering the procedures and obstacles to be navigated before such a wholesale change to federal security protocol. Firstly, for the ‘Common Access Card,’ and the PIV used by other federal agencies, to be replaced, the HSPD-12 directive signed by President George W. Bush calling for a standard and interoperable credential across all agencies would have to be repealed.
Furthermore, it would take at least two years for budgets relating to any new type of authentication system to be fully approved. Then the “behavioral, continuous biometric systems” that Halvorsen alluded to would have to undergo comprehensive and time consuming, testing and certification before use by any federal agency.
“Behavioral biometrics may play a role in securing identities in the future, particularly by supplementing authentication and countering fraud, the U.S. government will find that it is not a substitute for good primary authentication. Explicit user consent cannot be achieved unless the user takes a specific action like entering a PIN or taking some biometric action,” said Thiemann.
Biometrics may offer a step up in security over smart card but they are by no means fool proof. A fingerprint, for example, can be duplicated using gelatin molds, or the actual finger of approved personnel could be acquired using more violent approaches such as threats or dismemberment. Voice recognition systems have been overcome with recordings and face recognition systems bypassed with photographs.
These approaches may seem gruesome, espionage-esque and unlikely, but in the case of high-security federal applications they must be considered. In the end, stealing a fingerprint (or finger) can be treated much the same as stealing a smart card or a key. Furthermore, all biometrics are converted into a digital format within the access control system, making them vulnerable to hacking. A true security upgrade would need a “multi-factor” approach, but we’re not quite there yet.
Halvorsen’s remarks do point towards the probable future of federal access control. Looking five to ten years into that future and we can start to realistically imagine such fundamental change to authentication, including behavioral biometrics and derived credentials on mobile devices that can secure access to data and enable digital signing of emails.
For now, however, the humble smart card will persist in federal access control systems. Nothing currently available can replace the security, convenience and affordability of smart cards in a desktop work environment.
[contact-form-7 id="3204" title="memoori-newsletter"]