Getting Clever With Smart Cards

May 1, 2004 12:00 PM, By Jacqueline Emigh

In workplaces ranging from Boeing and Microsoft to the U.S. Department of Defense (DoD), employees now wield special, contactless wallet-sized cards that let them pass through the main door when they arrive on the job. More powerful than either magnetic or barcode cards, these smart cards come with built-in computer processors for handling everything from biometric fingerprint data to access rights for specific buildings. Card security is tighter, too.

“Government has been the biggest driver behind smart cards. After the DoD issued four million smart cards, all the other federal agencies got interested, too,” says Randy Vanderhoof, executive director of the Smart Card Alliance. Other federal agencies that have started to use smart cards for physical access control include the U.S. Dept. of Transportation (DOT).

At the same time, some large multi-national corporations are also turning to smart cards for managing access to physical facilities. “When companies expand through acquisition, they also acquire multiple badge systems,” Vanderhoof says. “Some of them are making the decision to use a single smart card across all their facilities.”

In terms of technology, the cards now being used for physical access are similar to the smart cards long deployed for PC and network access. For several years now, information security (IS) managers have found smart cards a handy way of gaining “two-factor authentication,” says Jason Schouw, vice president and general manager for SCM Microsystems.

Computer networks have relied mostly on passwords or PINs. “A password is ‘something you know,’” Schouw says. Passwords, however, are easily lost or stolen. By combining the PIN with a plastic ID card, employers can add “something you have” as a second factor in proving that employees “are who they say they are.”

Schouw acknowledges that barcode and mag cards allow for PINs as well. “It's fairly easy, though, to swipe a mag card and obtain the PIN. Likewise, mag cards can get zapped, too. Smart cards are much more secure. You truly have a tiny computer on each and every card.” he says.

Moreover, smart cards already contain enough computing horsepower to accommodate additional authentication factors. By adding a biometric identifier such as a fingerprint image, companies can get three-way authentication. A biometric identifier is “something you are,” Schouw says.

There's room for storing and processing other information, too. “In the typical smart card implementation, organizations add the employee number, hiring date, and which buldings the employees can access,” Vanderhoof says.

Most smart cards use wireless radio frequency identification (RFID) technology for a “contactless” architecture aimed at reducing wear-and-tear on cards and equipment.

Meanwhile, a few corporate pioneers are starting to combine data for physical and computer access control on a single smart card. An employee can present the same card to get past corporate security gates in the morning, and to log onto the computer network later that day.

“About 55,000 Microsoft employees are now carrying Smart ID badges of this kind,” Vanderhoof says. Beyond Microsoft, other companies using smart cards for combined physical and computer network access include Boeing, Sun Microsystems and defense contractor Northrop Grumman.

Still, if smart cards are really that much better than mag cards, key-fobs, or traditional lock-and-key, why aren't more companies using them?

Costs are a major blockade. Pricing for smart card readers has slid to only $30 to $40, in comparison to around $60 to $300 for a barcode reader, according to Tim Eustis, president and CTO of Zeosoft.

Yet the smart cards themselves cost anywhere from just under a dollar to $2.20 each, in contrast to “just pennies” for barcode and mag cards. More importantly, a transition to smart card readers has generally required a company to replace its legacy access control infrastructure.

“It's more than just the cards and readers that need to be changed. The network has to change, too,” Eustis says.

As a work-around solution to that problem, SCM recently unveiled a software development kit (SDK) that allows companies to run smart card readers and applications across Wiegand wiring as well as newer RS-485 and TCP/IP networks.

Prices are expected to drop further after manufacturers start taking a more uniform approach to smart card technologies. In standardization, government again leads the way, through initiatives now being worked out at the National Institute of Standards and Technology (NIST).

“In the future, you'll see more processing power and additional capabilities on smart cards, as prices continue to come down,” Vanderhoof predicts. “Smart cards might reduce or eliminate the need for human security guards. The business case here is that you'll get better security with lower personnel costs.”

It's quite possible, though, that some companies might prefer to keep guards on the payroll anyway. “Each security environment needs to take its own risks into account. I woudn't necessarily advocate the replacement of guards with a smart card system, per se,” Schoew says.

Experts also cite problems with the smart card form factor itself, as well as with the accuracy, costs and need for standardization of the biometrics sometimes used on the cards.

“A smart card really has to be kept in a wallet, so that it doesn't get folded or bent,” Schoew says, adding that he foresees the eventual inclusion of smart card-like technology in more convenient embedded devices, such as electronic key-fobs.

Moreover, in the United States at least, smart card opponents have long raised privacy objections. Opponents fear that too much personal information might be stored in the card.

The U.S. Citizenship and Immigration Services, for example, plans to start requiring visitors to the United States to supply biometric fingerprint images, according to Ram Sathappan, biometrics solutions manager at Texas Instruments. Fingerprint templates will be contained in passport and visa documents, and in some cases in smart cards.

Sathappan also points to accuracy issues with current biometric smart cards. Storage of biometric images in smart cards instead of on the network brings faster and more secure processing, he says.

For greater accuracy, however, the images need to be processed by special chips, known as digital signal processors (DSPs), which will need to be contained in the card readers. “Pre-processing would be done on the DSP in the card reader, and then matching against the original template by the processor in the smart card,” Sathappan illustrates.

Smart card pricing does look likely to tumble, as manufacturers come up with better and more uniform technologies. Cultural resistance is another matter. Still, though, smart cards seem headed for wider deployment, even if smart card-like technology does start showing up in other forms.

FOR THE RECORD

About the companies

For information, circle the Reader Service number (listed below) or visit securitysolutions.com

SCM Microsystems	25
Texas Instruments	26
Zeosoft	27

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue