High Assurance Credentialing
Moving to higher ground within the commercial enterprise space
- By Gerald Hubbard
- Sep 01, 2017
Recent cyberattacks highlight the need to know who
you are interacting with in email and online activities,
and who you grant access to your networks and
physical facilities. Technology exists and is validated
with large scale deployments that can reduce risk of
cyberattacks and unauthorized breaches. The use of biometrics in
user authentication is becoming more common and enables the positive
identification of individuals prior to giving access rights or conveying
trust in communications.
Commercial organizations can leverage this technology, proven and
supported by rigorous standards, to move beyond “flash passes” for
building access or simple user names and passwords for network access.
The End of “User Name
and Password” Identification
Data breaches can be detrimental—and extremely costly—to any
enterprise organization. Such breaches commonly occur when the
identity of an employee, executive or partner/vendor is compromised.
Attackers may use phishing approaches to get an initial user’s credentials,
at which point they have a foothold to begin working internally
to breach their ultimate target—for example, databases, email
accounts or cryptographic keys. Once an attacker has an in, they can
plant malware on enterprise devices or even use the organization’s
own admin tools against them to operate under the radar of IT’s cyber
The rising prevalence of outsourcing, bring-your-own-device
(BYOD) and remote access has made it even more difficult for enterprises
to protect their networks. According to the 2016 “Data Risk
in the Third-Party Ecosystem” survey conducted by the Ponemon
Institute1, 49 percent of organizations surveyed have experienced a
data breach caused by a third party vendor that resulted in the misuse
of sensitive or confidential information (an additional 16 percent
were unsure if they have), and 34 percent have experienced a data
breach caused by a cyberattack that resulted in the misuse of sensitive
or confidential information (an additional 30 percent were unsure if
they have). Only 41 percent of respondents felt their vendors’ data
safeguards and security policies and procedures are sufficient to respond
effectively to a data breach.
The standard “user name and password” approach to credentialing
is no longer sufficient to protect against the threat of unauthorized
access and, ultimately, damaging breaches. High assurance credentials
incorporating multi-factor-authentication (MFA) methods
are the best way to decrease risk and improve trust in an organization’s
ability to secure critical infrastructure.
The Emergence of Biometric Modalities
Strong MFA solutions require verification of a combination of identifiers.
For two-factor validation, a physical token (keycard, USB
dongle) is typically combined with a PIN to allow access. A third
factor can be added using biometric identifiers (facial recognition,
fingerprints, etc.) to elevate the security level of assurance for even
greater access control.
Commercial Identification Verification (CIV) can be provided at
this level of security using smart cards that combine identifiers such
as a photo ID with MFA for physical and logical access, secure digital
signature recognition for non-repudiation, and a secure audit trail
of enterprise activities. Secure document, transaction and data flow
can be assured with session key encryption utilizing a CIV that meets
FIPS201 and OMB11-11 specifications. Many vendors now support
standardized products for new deployments and for transitioning
legacy systems to support high assurance credential usage.
Capturing Biometric Data
Biometric live capture enrollment is an emerging technological approach
used in both commercial and government settings to collect
and analyze some of these types of identifiers and bind them to a specific user. But in order for biometrics systems
to be beneficial, an organization’s IT team
must be able to easily assimilate them into the
organization’s existing security infrastructure.
Biometric data capture, such as collection
of fingerprints and photographs, can be performed
automatically with the use of a selfservice
kiosk, or by a trained security agent
or HR representative. A combination of the
two can also be used to speed up the process.
The interface and workflow of the kiosk are
critical considerations for user adoption. The
kiosk should be easy to identify, use and understand.
It’s possible for the interface to adjust
workflow in accordance with the user’s
demographic. The speed of the question/
answer workflow may be adjusted to meet
the user’s anticipated needs, without the user
even realizing it. The interactive technology
will detect inconsistencies and adjust the
workflow to allow correction or to automatically
abort an attempt. Anti-fraud measures
can also be built in and biometrics can be
proofed with background adjudication.
The real benefit of a self-service ID kiosk
occurs after the credentials have been
issued—when they are checked at the point
of entry to a network, area or building.
Here, biometric data can be matched offline
on the issued credential or online against a
central database. Fingerprints can be quickly
scanned and matched; a signature can be
validated; or a photo can be used for a facial
recognition (FR) comparison. Many of the
security functions enabled by the technology
can take place seamlessly without the
user’s express step-by-step direction because
they occur in the background. Once an individual’s
background and identity are vetted
through the appropriate authoritative agencies,
it won’t have to be done repeatedly.
In order to successfully implement an interoperable,
high-assurance identity credential in a
commercial enterprise, requirements must be
business case-driven for the stakeholder. Business
cases should be developed to leverage the
identity management/credential process with
other mandates specific to the industry. Factors
including replacement of current flash
pass technology, specific identity credentials
with centralized lifecycle revocation management,
improved certificates and the adoption
of new use cases must be addressed in order to
While the thought of implementing a
biometrics solution may sound intimidating,
there are actually many existing standards
that can be leveraged to avoid having to reinvent
the wheel. With vetting and high-assurance
credential issuance, many current functions
requiring secure authentication (such
as physical and logical access control, secure
email with digital signatures, secure signing
of documents for nonrepudiation, etc.) can
be implemented with the high-assurance
credential. Examples include the FIPS201
standard, which is already well established
based on the federal government’s efforts to
optimize ID management and credentialing
processes. Commercial Identity Verification
credentials or CIV is aligned with FIPS201,
but provide flexibility to the commercial entity
for policy management based on compatible
The Role of Systems
Systems integrators must guide commercial
organizations as they find their footing in the complex high- assurance credentialing ecosystem. Integrators can
help enterprises to meet government mandates without reinventing
the wheel or going too far afield, and to secure their facilities and
Expertise in physical and logical access requirements are crucial
responsibilities of the systems integrator. A successful integrator will
understand and be able to educate customers about the requirements.
They must also secure access management of corporate IT resources.
To succeed, the integrator’s knowledge of new and proven technologies,
control systems and use-case value propositions is essential.
There are different options for biometrics deployment models.
Optimal systems integration will incorporate products that support
nationwide implementation, meet appropriate mandates, and perform
across the infrastructure. Standardization is required, so systems
integrators should be involved in this process in order to make
sure the standards are deployed, as well as to understand them and be
able to incorporate them into the technology solutions.
Interoperability and consistency are essential, and the most effective
integrators will be actively engaged in the establishment of a
shared security infrastructure. They also need the ability to securely
add workflow automation. To become a part of a holistic security
solution throughout the critical infrastructure, integrators need to
balance their business goals with commonalities shared across the
industry and its stakeholders.
Access control and identification credentials can and should be
developed to fit an organization’s individual security requirements –
without compromising the interoperability that will allow true authentication
and validation of an identity based on an organization’s
identity management policy.
Installing a self-service biometric capture and enrollment kiosk
on-site in a facility’s lobby or Human Resources office will save time
and resources. Access credentials issued by this means will allow access
management for entry at facility gates, doors and secure areas.
Different levels of security clearances can be embedded in the credential
to validate authorized entry to designated security zones. Kiosks
can even be remotely deployed, for use at job fairs, other off-site venues
for life cycle management of the identity credential. Self-service
kiosks that can be connected to national databases are available for
live biometric capture and identification proofing.
In addition, the value-added capability of biometrics solutions is
enabled with the technology to protect and secure network data and
to control who can access emails and IT infrastructure, which is essential
to preventing damaging data breaches.
This article originally appeared in the September 2017 issue of Security Today.