To Card or Token

Thin sheets of plastic slightly larger than credit cards are changing the way government employees identify themselves.

Agencies are outfitting their computer systems with software and hardware to meet a policy set forth by President Bush requiring a common identification standard for access to facilities and computer systems. The order-Homeland Security Presidential Directive-12-also virtually forces agencies to drop other methods for authenticating identities, despite their technological advantages and lower costs.

As hackers become more sophisticated at stealing identities and penetrating organizations' computer systems, the need for enhanced security protections has become essential. Traditional regimes, such as using passwords, have become too easy to foil. Today, security experts believe at least two forms of identification-such as a password coupled with a fingerprint-are necessary, and companies are rushing into the government market to meet agencies' demands.

Andrew Johnson, vice president of engineering at Viack Corp., a Scottsdale, Ariz.-based company that helps companies and the government work over the Internet, says while everybody uses passwords right now, their weaknesses are well-documented and users must take extra steps to protect them. Our society is "moving away from a password-based authentication scheme," Johnson says.

Many agencies now find themselves having to load their computer systems with new software and hardware to read smart cards, which can contain a host of personal information as well as forms of identification, such as an encoded fingerprint. Smart cards are attractive because of their enhanced security features. For instance, a holder might present his fingerprint to a reader that can match it up with the print on the card.

But there are other, often cheaper, methods for verifying identity. Some of these devices issue new passwords every time they're used, for example, USB keys that plug in to a commonly used computer socket; bingo card systems, in which a set of numbers spaced out in rows and columns are placed on a card and numbers from the card are randomly requested to verify the user's identity; and hybrid devices that combine one-time-use passwords and a USB key. Hybrid devices are more common in the business world, often to validate a person's identity for online stock trading and banking, for example. Some industry observers predict that these devices will be used to confirm everything from the identities of Amazon.com customers logging on to their accounts to people signing in to their Web-based e-mail.

Government agencies need authentication, too, and under the August 2004 Homeland Security directive, they are required to conform to governmentwide credentialing standards. But the mishmash of access systems in use today isn't always interoperable. So, agencies are looking for common ground, sending government down a different route than private industry in achieving stronger authentication systems.

Smart cards are widely used in government now, and experts believe that ubiquity means they'll become the favored means for verifying identity. The Defense Department's Common Access Card Program already issues cards to employees. But they will become pervasive across federal agencies to gain access to facilities and computer systems, smart card vendors and agency officials say.

Leedor Agam, vice president of the eToken business unit of Aladdin Knowledge Systems in Arlington Heights, Ill., says one problem with requiring universal implementation of smart cards is that few applications currently support the cards and agencies are pressed to bring their systems and applications to conformity with the card-reading technology. USB tokens, on the other hand, are easier to use with a larger number of applications. "The common access cards may have two applications supported, [tokens] have 20," says Agam.

Aladdin is working with five agencies to provide, among other services, tokens for employees to gain remote access, which Agam believes are a practical and less expensive alternative to smart cards for employees who need additional security protection beyond passwords.

John Thielens, chief technology officer at Tumbleweed Communications Corp., a Redwood City, Calif.-based online security firm, says there is no difference in application complexity for reading USB-based or card reader-based verification systems. Nevertheless, "One of the advantages of the USB tokens is that they're ubiquitous, they're always there," says Thielens. "That's not true with smart card readers."

Mark Breckenridge, deputy director of the Identity Authentication Office at the Defense Manpower Data Center, which supervises Pentagon personnel programs and pioneered the Common Access Card Program, says new software will be necessary for any regime that asks users for two forms of identification, whether it is a smart card or a token. "You still have to write applications that talk to the USB port," Breckenridge says. "I don't think we get away from writing applications."

With an Oct. 27, 2006, deadline for creating an identify verification system that's compatible governmentwide using the smart card format, agencies are scrambling to purchase card readers. The General Services Administration is working to minimize costs by purchasing readers in large quantities. Depending on size, agencies will pay anywhere from $15 to $35 per card. Windows-compatible card readers are priced from $15 to $20.

While agencies are not required to issue a card to every employee by Oct. 27, they do have to demonstrate compliance. Even that won't be simple. "There's going to be interaction between a lot of different systems as a result of [the directive]" says Aaron Zitzer, director of solutions marketing for ActivCard Inc., an authentication token vendor in Fremont, Calif.

A group of agency project managers, led by John Moore, a GSA program analyst at the Office of Governmentwide Policy, Office of Technology Strategies, meets every two months to determine how smart cards can be used.

Establishing one standard for the cards is a complicated effort, with a disparity of computer systems and needs throughout the government. "You're talking about a process that will take several years to achieve," says Shannon Kellogg, director of government and industry affairs at RSA Security Inc. in Bedford, Mass. "Ultimately, there will be some that won't be able to achieve full compliance."