by David Tushie, Magellan Consulting, Inc., ICMA Standards and Technical Representative
Secure identification is an interesting card industry topic. On one hand it is so simple to understand and on the other hand it is so difficult but necessary to prove. In the physical world everyone knows who they are, who they always have been and who they always will be. Individuals have many characteristics or features that enable them to be unique when compared to anyone else. The identification process actually starts at birth when we are given our name, which becomes our first identifier. A name is not necessarily unique, since others can have the same name, but during our early childhood years it is often sufficient. With the advent of the virtual world and an internet identity that has global reach, a name alone is not sufficient. Passwords were created to protect the uniqueness of our identity for access to goods and services in the digital world. This factor is often referred to as “something you know.”
The first passwords were four-digit numeric codes, called Personal Identification Numbers (PINs) by the financial community, that were easy to memorize and unfortunately easy to copy. Security took a step forward, but fraudsters used electronics to copy and steal the PIN codes at the point of use and these passwords became compromised. Fighting back, security providers required longer, more complex passwords that had to be changed on a regular and frequent basis. In parallel, the physical world was becoming more digital and more mobile. Online card-based solutions to purchase and pay for goods was growing dramatically. Virtual merchants like Amazon were ascendant while physical retailers like Sears had trouble adapting to this new dynamic. To protect the identity and security of card-based transactions, the financial brands initiated their plan to migrate their cards to support EMV secure transactions in the United States in 2011. They also encouraged merchants to adapt their point-of-sale (POS) terminals to support EMV transactions or possibly suffer a chargeback denial in the case of a fraudulent, counterfeit card transaction. This was the so-called liability shift that occurred in the United States in October 2015, which moves the chargeback liability from the issuer to the merchant if the merchant’s POS terminal does not support EMV transactions when an EMV chip card is presented. This implementation has been very successful for card-present transactions and now incorporates cards used at ATMs and retail gasoline pumps. The EMV card fulfills the second factor of security requirements of possessing “something you have.” Unfortunately, the increase in the number and value of online transactions has fueled the increase in card-not-present transactions for which EMV has no fraud countermeasure.
The third factor of the authentication security triangle, “something you are,” is the subject of major development efforts and investment programs. To a greater or lesser degree, all of these technologies can uniquely authenticate a person’s identity using their personal biometric. A thorough review of the biometric landscape is beyond the scope of this article, but we can examine two of the most popular card based biometric solutions, fingerprint and facial recognition.
The secure ID card environment
Apple gave secure fingerprint identification credibility with the advent of Apple ID technology in its smartphone. Billions of fingerprints have been taken and stored in their phones. Other smartphone manufacturers have followed Apple’s lead and introduced similar fingerprint technology. Five years ago, there was concern that a fingerprint sensor could not be made thin enough to be mounted in a standard ISO ID-1 card. This is no longer a limitation. Furthermore, if the sensor is on the card and the card has matching chip technology and the required application firmware, the cardholder can complete a very secure “match-on-card” authentication of the cardholder. It is reasonable to assume that this capability could be available in the very near term, subject to the industry’s ability to ramp up the manufacturability of this sophisticated interactive card.
Instead of providing secure ID access using a fingerprint biometric, facial recognition biometrics are now prevalent to provide access to the latest generation of smartphones. In this case, a mobile ID can be created by registering your image in the security application. Incorporating this kind of biometric into an ID-1 card could follow a similar path taken with fingerprint sensors. To garner widespread usage, the cameras and supporting chips will need to be of sufficient small size and power to fit into the physical constraints of an ID-1 card and not require battery power to operate.
A related development is the considerable effort going into the perfection of the ISO standards that are required to bring a useful, universal, mobile solution to the marketplace. This ISO effort is being managed by the ISO/IEC JTC1/SC17/WG10 motor vehicle driver license and related documents group. The standard being developed is ISO/IEC 18013 ISO. Part 5 of this standard defines the mobile driver license (mDL). The second CD for ISO/IEC 18013-5 is under review, with comments coming from AAMVA, Apple, Fast, Google and NIST.
For a universal card-based secure ID application, the security process should mirror the mobile ID smartphone solution, as people without smartphones will require secure ID access to goods and services. Recent card technology under development has shown the feasibility of radio-frequency powered interactive cards. Agreement on the standards and continuous engineering improvement will be required before these cards are available at a reasonable price point.
About the Author: ICMA Standards and Technical Representative David Tushie has had a long and continuing career in the card industry, working for international companies such as DataCard, UbiQ and NBS Technologies. He has master’s degrees in engineering and business, holds U.S. and international patents in measurement and card issuance systems and has had several years of involvement with the ANSI, INCITS and ISO standards process. ICMA is represented at six ISO and ANSI standards meetings through his standards role within the association.