TWIC IDs on the way, but TSA stops short of giving the nod to contactless readers
25 September, 2006
category: Biometrics, Contactless, Government, Library, Transit
By Marisa Torrieri, Contributing Editor
International Biometric Association is meeting with the Transportation Security Administration in the hopes of convincing the federal agency to include contactless readers as part of its new credentialing and security system for ports and maritime workers.
Smart cards containing the contactless technology were tested during a yearlong “Prototype Phase” of the Transportation Worker Identification Credentials (TWIC) initiative. IBIA believes that the test was a success and proved that the contactless reader was the right way to go. If TSA specifies a new reader approach that wasn’t tested, such as using contact readers, then the reader portion of prototype test would have been an effort that International Biometric Industry Association Chairman Walter Hamilton calls a waste of time, money, and resources.
Without a defined reader requirement to use the TWIC card in an automated fashion, “It’s half a TWIC, a very elaborate smart card credential with data stored in it and a number of security features and characteristics” explains Mr. Hamilton. “(But without the reader) it’s just a flash pass.”
TWIC is a secure identification credential that uses smart card technology designed to authenticate transportation workers prior to granting access to secure areas of transportation facilities. It does this by linking that person’s claimed identity and background information to the holder’s biometric stored on the credential.
The TWIC program, moving toward the implementation phase, took what many in the biometrics industry call a wrong turn in May. In draft versions of a rule and privacy impact document, TSA endorsed the use of a contact reader and PIN to release the biometric data instead of using the contactless reader with encrypted biometrics that were tested in the pilots.
The decision, says Mr. Hamilton, was apparently in response to concerns that releasing biometrics through the use of contactless readers (in lieu of contact-and-pin-number readers) would clash with Homeland Security Presidential Directive (HSPD) 12’s PIV (personal identity verification) cards that follow the FIPS 201 specification.
One of HSPD-12’s tenets is that agencies take measures to ensure contactless or other technology is secure and doesn’t compromise personal privacy. Though many feel the concern is unwarranted, the current PIV specification restricts transmission of the interoperable reference biometric via the contactless interface.
Although the contactless smart card tested over the last few years during the initial phase of TWIC proved successful, “the current PIV spec [of FIPS 201] does not allow placement on the contactless side,” notes Tom Buss, senior V.P. for Product Development and Management at CrossMatch Technologies. “If you’re using a HSPD-12 PIV card, and you want to make use of the interoperable reference biometric which is only allowed on the contact side of the card, you need to use a contact reader. Therein lies the controversy.”
In the TSA Notice of Propsed Rulemaking, “Transportation Worker Identification Credential (TWIC) Implementation in the Maritime Sector; Proposed Rules” dated May 22, 2006 ( http://a257.g.akamaitech.net/7/257/2422/14mar20010800/edocket.access.gpo.gov/2006/pdf/06-4508.pdf ), TSA clearly states its intention that all aspects of the TWIC program coincide with the HSPD-12 mandate:
“The development of FIPS 201 occurred concurrently with the design of TWIC … TSA recognized that there are many benefits to designing TWIC in alignment with FIPS 201: Leveraging the TWIC infrastructure to support other DHS or government credentialing programs; avoiding obsolescence by using the latest technology; securing critical facilities with the same process used by Federal agencies; having interoperability during an emergency; and demonstrating the functionality of FIPS 201.”
Still, the lingering hope from TWIC pilot testers, who are tinkering away on technology to meet the needs of the TSA program, is that the smart card and biometric industry will be able to work with TSA and hash out restrictions against contactless biometric access.
Why many feel contactless is the right solution for TWIC
So what is the big deal whether it the biometric is accessed via a contact or contactless interface? As it stands now, the contact card would require entrants to a secure access point to put the TWIC card into a contact reader slot, enter a six-digit pin number, and then place their finger onto a biometric sensor. While this would be secure, there are questions about the speed of moving people and vehicles when contact card insertion and PIN entry are required.
Also, the contactless security is better suited for port environments because there is less wear and tear on the readers themselves since all of the components are sealed against the weather.
“Dirt, dust, salt air, and other airborne contaminants will enter that [reader] slot, and possibly along with chewing gum, and the internal components of that reader will deteriorate,” says Mr. Hamilton.
Adds Mr. Buss: “The issue with contact cards is you literally have to have a slot that you can slide your card into so cards can be read. And that provides an opening by which the product can be compromised.”
Another big qualm industry stakeholders have is the wastefulness that is the upshot of the delay: the TSA plans to more than 750,000 cards later this year.
Thus, Transportation workers, who already have to pay $139 for a TWIC card, take off from work to both enroll and then receive the card at a remote issuing facility, might have to go through the same routine again to update their card or obtain a new card, Mr. Hamilton says.
“Potentially, depending on how this reader specification evolves, they may have to go a third time to get these cards updated within a few months,” he adds.
For now, in addition to IBIA meeting with the TSA, Mr. Hamilton is working to establish an industry advisory group to assist TSA in resolving the perceived technical and operation issues relating to TWIC readers.
“If investigation of readers is conducted quickly, and software features that need to be introduced early on are introduced, very few workers will be inconvenienced,” Mr. Hamilton says.
Additional Resources:
For more on TSA’s TWIC card initiative, as well as answers to common questions, visit
http://www.tsa.gov/whatwe_do/layers/twic/twicfaqs.shtm
Research and evaluate FIPS 201 Approved Products and get the latest info on compliant credentialing systems at FIPS201.com. Click to visit FIPS201.com.