(Really) Smart Cards

AXA Technology deploys biometric solution via Microsoft platform

• By Tom Flynn
• Jan 04, 2010

In 2007, a customer of the AXA Group, a financial protection company, wanted to replace an existing strong authentication system with a smartcard- based solution to coincide with an end-user hardware refresh project. AXA Technology Services initially proposed its smartcard platform, and the customer was interested in extending it to support biometric authentication. This would make it easier and more convenient to log on securely and to use public key infrastructure certificates for access to more applications while providing the same level of security.

Logging in would still require a username and password because it was considered to be critical for managing a large, geographically dispersed user community. It also would provide a back-up authentication method for users who were not in possession of their smart card.

A Formidable Challenge

AXA Group is based in Paris and has more than 135,000 employees, operating in 55 countries, so deployment of the identity management system was a big project. The company knew a strong authentication system was needed because protecting IT systems and employee identity credentials is paramount in the financial services business.

AXA began integrating smart-card technology with the existing PKI system to define a new global standard for strong authentication. Company officials worked with Gemalto and Microsoft to develop a strong authentication framework based on Microsoft Base cryptographic service provider-compliant smart cards (the Gemalto .NET Smart Card) that is fully interoperable with the existing Microsoft environment.

Globally, this environment includes Windows XP and Vista® clients, Windows Server® 2003 and subsequent versions, Active Directory® and Microsoft Identity Lifecycle Manager.

Because an off-the-shelf solution was not available, AXA Technology approached Gemalto about the possibility of developing a custom solution in a compressed timeframe. Based on a positive assessment of the project's feasibility, Gemalto decided to work with long-time partner Precise Biometrics, a manufacturer of biometric software for smart cards, to develop a robust biometric authentication system for the Gemalto .NET smart card.

This particular AXA Technology Services' customer provides financial protection, life insurance and investment products to consumers, corporations and other financial services firms. Its products are sold directly by a retail distribution team and through financial intermediaries including brokers, dealers and independent financial planners.

Employees work from multiple locations and require secure, on-demand access to networks, business applications and data. Secure remote access to an online portal is especially important because employees and external representatives are located throughout the country and often use Web-based applications during meetings at customers' locations.

Solution Architecture, Components and Usage

The Gemalto .NET smart card serves as the primary employee identity credential and incorporates fingerprint Match-on-Card™ technology from Precise Biometrics. Because it is integrated with Microsoft's Windows Smart Card Framework, the biometrics-enabled smart card is fully compatible with the customer's existing Microsoft infrastructure. Integration with Windows XP, Active Directory and Microsoft Identity Lifecycle Manager is seamless, and no middleware was required other than the specific components developed for biometric support.

Identity Lifecycle Manager is used as the certificate and smart-card management system. ILM combines meta-directory, certificate management and user provisioning across Windows and enterprise systems in a single packaged offering. Its meta-directory capabilities support a single view of user identities across all enterprise systems and maintain the consistency of this view across all connected systems. The certificate management functionality in ILM significantly simplifies and reduces the cost of deploying and managing digital certificates and smart cards.

The solution consists of both on- and off-card components. They include four libraries that are installed on the client computer and two applications that reside on the Gemalto .NET smart card itself. Components installed on the client PC enable the user's biometric credentials to seamlessly interact with the Microsoft operating system and applications.

Components of the solution include biometry-enabled Gemalto .NET smart cards that include a Biomatch Assembly (Precise Biometric's Match-on-Card application) and Mini-driver Bio Assembly. Four libraries are installed on the Windows XP client PC, biometric enrollment station module, a client-side utility that enables users to enroll their fingerprints at any time. It also includes biometric verification service, a client-side service capturing and managing events from both the fingerprint reader and the Base CSP, a mini-driver all for the .NET Smart Card compatible with Microsoft Base CSP v5 and a customized windows smart-card logon interface.

The solution supports three different smart-card authentication modes: PIN only, fingerprint only and PIN or fingerprint. The biometric application stores and verifies users' fingerprint information directly on the smart card for added security. The fingerprint information never leaves the card and is never stored in a database, thus protecting users' digital identities. Privacy issues and security risks associated with other biometric authentication methods are mitigated because the fingerprint credentials are stored and validated on the smart card, which is constantly in the user's possession.

The smart card is used to log on to any biometrics-enabled workstation within the customer's domain. The solution includes an enrollment application that lets users enroll their own fingerprints and provides other self-service capabilities, including remote card unblock. Up to four fingerprints can be enrolled and stored on the card.

When employees log on to their desktops, or use security enabled applications such as the secure remote access system, secure e-mail or document signature, they insert their smart card into an integrated reader and authenticate by scanning their fingerprint as a biometric identifier. PIN authentication is always available for workstations that may not have a fingerprint scanner.

Customer Deployment

Gemalto .NET cards with biometric support were initially deployed to more than 3,000 independent representatives to enable secure remote network access and safe use of Web-based services for business-critical applications. Subsequently, the biometric authentication solution was extended to several thousand corporate employees. This larger population is using the biometric smart card for network logon, digital signature and secure remote access. Smart cards issued to employees at targeted locations include a contactless smart-card reader interface that can enable physical access to corporate facilities as required.

The impact on the user community was minimized by a close working relationship between the deployment team and branch technology managers located in each branch office. Several branch technology managers have reported that end users are satisfied with the speed and ease of the biometric smart-card login process. The number of smart-card logins to the company's online portal for business applications has continually increased since the deployment began.

The successful development effort and deployment project helped AXA meet its customer's expectations for rapid development and implementation of a smartcard- based biometric authentication system. It also enabled AXA to extend the corporate smart-card framework to include biometrics support without any incremental risk or changes to the existing IT infrastructure.

Adopting the biometric smart card also strengthened the company's overall level of IT security and provided a means for smart-card usage to become ingrained in the corporate culture. It has dramatically reduced password sharing and badge swapping. A converged badge for physical and logical access control also provides incremental value by dramatically reducing network attacks and data losses from internal sources.

The biometric authentication solution enhanced the end-user experience by providing added convenience and fl exibility for secure network access. Because the fingerprint biometric credentials are stored on the smart card, they are uniquely portable and can be used with any hardware system that has a smart-card reader and fingerprint sensor.

For AXA, the smart-card-based solution extends the range of applications that can be secured with strong authentication. In addition to secure remote access, the company is considering smart-card-enabled security for additional Web applications, e-mail signature, encryption and access to printing facilities. Already, there are plans to migrate several campuses to a single converged badge with the AXA Technology Services.