The tech that locks down ID cards
- By Stephanie Kanowitz
- Feb 29, 2016
Across federal and state governments alike, secure identity cards are getting securer. Whether the card allows for access into a government building or travel to another country, new technologies are making it easier for officials to verify identities.
Take the new Permanent Resident Card, or green card, which lets holders live and work in the United States on a permanent basis. The U.S. Citizenship and Immigration Services recently began issuing redesigned cards, the front of which features ink that shifts from gold to green, embedded radio frequency identity (RFID) technology, tactile laser personalization, a laser-engraved fingerprint and a unique background design.
On the back, the cards have a personalized embedded hologram. Additionally, ultraviolet technology and tactile clues help deliver more accurate readings at border crossings.
Like the previous version of the card, the new cards use embedded optical media to store digital files including biometrics, a holographic image and micro-images of high-resolution pictures of state flags and U.S. presidents.
USCIS placed an $88.3 million order with identity solutions provider HID Global to redesign, manufacture and supply the cards. Under the agreement, the Austin, Texas-based company will produce, deliver and store up to 34 million identity cards in the next five years.
HID Global is no stranger to making green cards. This award continues the relationship between USCIS and HID Global, which in the past has developed security technology such as an optical stripe. That metallic stripe, HID Global Vice President of Corporate Affairs Kathleen Carroll told the House Oversight and Government Reform Committee in October, is embedded into the laminate that is laser-engraved with a high-resolution replica of the card-holder’s face and signature.
“It is easy to visually confirm its authenticity; it holds digital data that must be programmed to match the data printed on the card; and is virtually impossible to replicate without very sophisticated and hard-to-obtain laser engraving technology,” Carroll said. “We intend to work with USCIS to continue making the most secure, most reliable credential on the planet.”
Two types of ID card technology are being used in the federal security market today, said Randy Vanderhoof, executive director of the Smart Card Alliance. One is long-range RFID technology and is primarily used for border crossings. RFID lets inspectors read unique, 192-bit serial numbers from a distance and link the information to the personal data on file.
“The U.S. passport card, which is a companion card to passports and provides land access to Canada and Mexico, is a long-range RFID technology,” Vanderhoof said.
Passports themselves use the other main card technology: a short-range high-security chip that operates at a different frequency and has additional security capabilities. This is often found in personal identity verification (PIV) cards that governments issue to grant card holders access to facilities and information systems.
“There’s incremental steps in security, and the first level of security is to have what we call a machine-readable card rather than something that is simply a visual proof of one’s identity, because visual-only cards have no active security measures in them,” he said. “It really is up to the security guard to make a decision as to whether or not that credential belongs to that individual. Having a machine-readable [card] makes it much more difficult to alter or counterfeit, and it offers the security checkpoints additional security data that they could use to verify one’s identity.”
The highest-level identity cards, which are required for federal badges and passports in the United States and abroad, also contain cryptographic and biometric features that can be authenticated in real time, which makes them much better at authenticating identity, Vanderhoof added.
When such cards are lost or stolen, for example, the biometrics provide an extra layer of protection.
“You could always use makeup or disguises to replicate someone’s identity,” Vanderhoof said. “Visual methods are only a slight increase in security. Having a [system] where there is a live biometric captured when the card is used and that is matched up with a biometric that was captured at the time the card was issued provides a much higher level of security.”
To know which technology is best, government officials must look at the situation and determine the tradeoffs between speed of identity verification and the security level required, Vanderhoof said. At border crossings, cards with long-range RFID that can be read at a distance reduce the likelihood of people waiting in their cars for hours to cross borders. On the flip side, some citizens worry that their movements could be tracked by RFID readers without their knowing. To address that concern, they can request a sleeve that protects the radio frequency signal. That means the card can’t be read until the holder is at the border checkpoint window.
“There’s always going to be tradeoffs in every security system,” Vanderhoof said. “There’s no one universal technology that works in every use case.”
Following the attacks on the Office of Personnel Management that exposed millions of personal records, government officials have started looking more seriously at two-factor authentication -- passwords and biometrics, for instance -- for network access cards to prevent breaches, Vanderhoof said. PIV cards can allow employees into not only buildings, but also onto computer systems -- and a growing number of agencies are taking that approach.
“We’re seeing an expansion of the use of the government’s secure identity credential from simply being a door access system to being a totally integrated access control solution for both physical and logical computer access,” he said.
Benji Hutchinson, senior director of federal programs at MorphoTrust USA, an identity solutions provider, agreed. Last year, the Defense Department combined its ID badge with common access cards, which allow access to computer systems, and the State Department is working to do the same, Hutchinson said.
At the state level, the most common form of ID -- the driver’s license-- has yet to adopt much technology in terms of biometrics. Instead, states such as New York are turning to tougher-to-counterfeit materials such as polycarbonate, color-changing ink and laser-engraved photos.
The Real ID Act, however, is forcing states to provide enhanced driver’s licenses that have machine-readable RFID chips, strips or barcodes that store personal information such as the holder’s Social Security number. Almost all states now comply with the act or have received extensions on a comply-by date. The Transportation Security Administration might deny air travel to travelers who don’t have this type of card by the deadlines.