IdentiPHI Enterprise Security Solutions   Login
Smart Card PKI login and physical access (single badge) Card Management System The objective is simple, delivering on that objective is anything but. A single badge for every employee and contractor that can be used for either physical or logical access, or most importantly, both.
As one of the largest business and retail banks employing nearly 200,000 employees at over 4,000 locations nationwide, centralizing the issuance and management of a smart card ID badge created a challenge that required careful planning and execution. Even with years of PKI experience, issuance of smart cards to carry the credentials has proven ineffective without central manageability. “In addition to the complexities of card issuance and management, it seemed that depending on the card vendors to contribute more than just cards themselves was an expectation that would lead to disappointment.” Large investments were made to multiple card vendors with little effect. It seemed that each card manufacturer had a unique, and often very limited and proprietary method supporting how the cards should be used.

The reality is that this should have not be left up to the smart card vendor, who after all is only single component of the entire project scope. What may not apparent to most IT staff until they are deep into the project, is that every card requires middleware to interface with the PC operating system and certificate authority, a card reader, and a CMS (Card Management System) that must all interoperate for the project to succeed. What was needed was a comprehensive approach to supporting virtually any device regardless of the manufacturer.

The IdentiPHI solution provided all required components and worked with multiple vendors to deliver a fully integrated and fully compatible solution for existing and future systems. To tie all of this technology together a very scalable card management system was required to link the certificate to the user as well as to the user to the smart card. As a physical access system was already in place and badges were being used for office entry, but it became obvious how important it was to leverage the commonalities between physical and logical access into a single badge. This meant that each employee and contractor could use a single card to enter a building or garage, as well as logon to a computer or wireless access point. Once again a significant portion of this capability was determined by the CMS.

The result was a card issuance system that utilized role-based administration and would issue the appropriate card type (either for physical access only, or both logical and physical access). The process was designed to allow and individual to request a card via a web portal. The request would be approved and a role assigned by a central or local authority. The approved request would then allow an issuer to generate the required logical components for the card (i.e. certificate and key pair generation), photograph the user for the required physical components, print the card per corporate ID standards, and deliver the card to the requesting user at a designated badging station.
Beyond the authentication functionality that the smart card allows bank employees and contractors, there is a significant need in this country to deliver similar functionality to retail banking customers for online transactions. Many large banks in Europe have been using smart cards to store certificates and other user data for years. Every new EMV (Europay / MasterCard / Visa) issued contains a smart chip on the card, and is required at virtually every kiosk in Western Europe. Until recently, only the United States Department of Defense had successfully accomplished this on a large scale.

The limitation that this technology was designed to address is the inability to adequately manage and protect data that is stored on the magnetic strip common to every credit card. With the FFIEC mandate which requires all online transactions to require 2-factor authentication, there was a new urgency to distribute smart cards to customers or face penalties for non-compliance. The decision to use smart cards as opposed to other methods was not taken lightly; other large banks were implementing alternative authentication methods that included graphical passwords or tokens. The natural course of action seemed obvious when looking at EMV technology and the familiarity of the card form-factor. With the addition of the integrated chip, all bank cards could be used as a smart card. Digital certificates stored on the chip can be used to authenticate to online banking resources.

“Another major advantage of using smart cards as opposed to cards containing only magnetic strip, is the ability to write and manage account data on the card.” Magnetic data is written to the card when issued by the bureau. That data is static for the life of the cards. Using the inherent capabilities of the card’s IC data can modified to reflect changes in the account or as a history of the account usage that can be accessed immediately online or offline. Each of the cards can also be configured to leverage Paypass technology which is becoming more prevalent with merchants in the US for easy payment using RF (Radio Frequency).

Download in PDF Format

 
 
 
Home |Privacy Policy | Security Policy | Copyright © IdentiPHI Inc. 2007; All Rights Reserved