(Really) Smart Cards
AXA Technology deploys biometric solution via Microsoft platform
In 2007, a customer of the AXA Group, a financial protection company,
wanted to replace an existing strong authentication system with a smartcard-
based solution to coincide with an end-user hardware refresh
project. AXA Technology Services initially proposed its smartcard
platform, and the customer was interested in extending it
to support biometric authentication. This would make it easier
and more convenient to log on securely and to use public key
infrastructure certificates for access to more applications while
providing the same level of security.
Logging in would still require a username and
password because it was considered to be critical for
managing a large, geographically dispersed user community.
It also would provide a back-up authentication method for users
who were not in possession of their smart card.
A Formidable Challenge
AXA Group is based in Paris and has more than 135,000 employees, operating in
55 countries, so deployment of the identity management system was a big project.
The company knew a strong authentication system was needed because protecting
IT systems and employee identity credentials is paramount in the financial
AXA began integrating smart-card technology with the existing PKI system to
define a new global standard for strong authentication. Company officials worked
with Gemalto and Microsoft to develop a strong authentication framework based
on Microsoft Base cryptographic service provider-compliant smart cards (the
Gemalto .NET Smart Card) that is fully interoperable with the existing Microsoft
Globally, this environment includes Windows XP and Vista® clients, Windows
Server® 2003 and subsequent versions, Active Directory® and Microsoft Identity
Because an off-the-shelf solution was not available, AXA Technology approached
Gemalto about the possibility of developing a custom solution in a
compressed timeframe. Based on a positive assessment of the project's feasibility,
Gemalto decided to work with long-time partner Precise Biometrics, a manufacturer
of biometric software for smart cards, to develop a robust biometric authentication
system for the Gemalto .NET smart card.
This particular AXA Technology Services' customer provides financial protection,
life insurance and investment products to consumers, corporations and other
financial services firms. Its products are sold directly by a retail distribution team
and through financial intermediaries including brokers, dealers and independent
Employees work from multiple locations and require secure, on-demand access
to networks, business applications and data. Secure remote access to an online
portal is especially important because employees and external representatives
are located throughout the country and often use Web-based applications during
meetings at customers' locations.
Solution Architecture, Components and Usage
The Gemalto .NET smart card serves as the primary employee identity credential
and incorporates fingerprint Match-on-Card™ technology from Precise Biometrics.
Because it is integrated with Microsoft's Windows Smart Card Framework,
smart card is
fully compatible with the customer's
existing Microsoft infrastructure. Integration with Windows
XP, Active Directory and Microsoft Identity Lifecycle Manager is seamless,
and no middleware was required other than the specific components developed
for biometric support.
Identity Lifecycle Manager is used as the certificate and smart-card management
system. ILM combines meta-directory, certificate management and user
provisioning across Windows and enterprise systems in a single packaged offering.
Its meta-directory capabilities support a single view of user identities across
all enterprise systems and maintain the consistency of this view across all connected
systems. The certificate management functionality in ILM significantly
simplifies and reduces the cost of deploying and managing digital certificates
and smart cards.
The solution consists of both on- and off-card components. They include four
libraries that are installed on the client computer and two applications that reside
on the Gemalto .NET smart card itself. Components installed on the client PC
enable the user's biometric credentials to seamlessly interact with the Microsoft
operating system and applications.
Components of the solution include biometry-enabled Gemalto .NET smart
cards that include a Biomatch Assembly (Precise Biometric's Match-on-Card application)
and Mini-driver Bio Assembly. Four libraries are installed on the Windows
XP client PC, biometric enrollment station module, a client-side utility that
enables users to enroll their fingerprints at any time.
It also includes biometric verification service, a client-side service capturing and
managing events from both the fingerprint reader and the Base CSP, a mini-driver
all for the .NET Smart Card compatible with Microsoft Base CSP v5 and a customized
windows smart-card logon interface.
The solution supports three different smart-card authentication modes: PIN
only, fingerprint only and PIN or fingerprint. The biometric application stores and verifies users' fingerprint information directly on the smart card for added security.
The fingerprint information never leaves the card and is never stored in a database,
thus protecting users' digital identities. Privacy issues and security risks associated
with other biometric authentication methods are mitigated because the fingerprint
credentials are stored and validated on the smart card, which is constantly in the
The smart card is used to log on to any biometrics-enabled workstation within
the customer's domain. The solution includes an enrollment application that lets
users enroll their own fingerprints and provides other self-service capabilities, including
remote card unblock. Up to four fingerprints can be enrolled and stored
on the card.
When employees log on to their desktops, or use security enabled applications
such as the secure remote access system, secure e-mail or document signature, they
insert their smart card into an integrated reader and authenticate by scanning
their fingerprint as a biometric identifier. PIN authentication is always available
for workstations that may not have a fingerprint scanner.
Gemalto .NET cards with biometric support were initially deployed to more than
3,000 independent representatives to enable secure remote network access and
safe use of Web-based services for business-critical applications. Subsequently,
the biometric authentication solution was extended to several thousand corporate
employees. This larger population is using the biometric smart card for network
logon, digital signature and secure remote access. Smart cards issued to employees
at targeted locations include a contactless smart-card reader interface that can enable
physical access to corporate facilities as required.
The impact on the user community was minimized by a close working relationship
between the deployment team and branch technology managers located in
each branch office. Several branch technology managers have reported that end
users are satisfied with the speed and ease of the biometric smart-card login process.
The number of smart-card logins to the company's online portal for business
applications has continually increased since the deployment began.
The successful development effort and deployment project helped AXA meet
its customer's expectations for rapid development and implementation of a smartcard-
based biometric authentication system. It also enabled AXA to extend the
corporate smart-card framework to include biometrics support without any incremental
risk or changes to the existing IT infrastructure.
Adopting the biometric smart card also strengthened the company's overall level
of IT security and provided a means for smart-card usage to become ingrained
in the corporate culture. It has dramatically reduced password sharing and badge
swapping. A converged badge for physical and logical access control also provides
incremental value by dramatically reducing network attacks and data losses from
The biometric authentication solution enhanced the end-user experience by
providing added convenience and fl exibility for secure network access. Because the
fingerprint biometric credentials are stored on the smart card, they are uniquely
portable and can be used with any hardware system that has a smart-card reader
and fingerprint sensor.
For AXA, the smart-card-based solution extends the range of applications
that can be secured with strong authentication. In addition to secure remote
access, the company is considering smart-card-enabled security for additional
Web applications, e-mail signature, encryption and access
to printing facilities. Already, there are plans to migrate
several campuses to a single converged badge with the AXA
Tom Flynn is the director of marketing, identity and access
management for Gemalto North America.