Identity One

Replacing low assurance credentials Are you issuing a low assurance credentials in a high assurance access control environment? Examples of low assurance credentials are low security access cards like Prox, iClass, SEOS and MiFare Classic/Desfire. What do you do for students, interns, and short-term employees who may only be on-site for 90 days but will not receive their PIV card until near the end of their time? What about long term contractors or employees who may not be eligible for a PIV card? Visitor badges are intended for short term use, but we know facilities are making exceptions and by doing so taking a big security risk. You can issue all of those people a high assurance credential controlled in your environment instead of taking that risk. FIPSlink by Identity One has the solution with FIPSlink CMS (Card Management System) and FIPSlink Visitor. FIPSlink CMS is a fully integrated PIV and PIV-I Card Management System for enrollment of people (capturing photo and ANSI378 fingerprint), issuance of certificates for the person and card, and writing to the PIV or PIV-I card. When FIPSlink CMS is coupled together with FIPSlink Visitor temporary CIV / PIV-I cards can be issued to be visitors from a Kiosk. FIPSlink CMS and FIPSlink Visitor is a cost-effective solution for using PIV / PIV-I cards in place of traditional low assurance credentials like iCLASS, SEOS, Proximity and MiFare Classic/Desfire. It is designed to fill the gap between an Enterprise-Wide CMS and the need for a locally administered system. Simple setup and configuration management with built-in certificate authority deployed on-premises. Let’s discuss how FIPSlink CMS and FIPSlink Visitor can help eliminate vulnerabilities in your security plan.

HID “Keys to the kingdom” exposed at DEFCON 32 At the recent DEFCON 32 convention in Las Vegas, an interesting presentation (High Intensity Deconstruction: Chronicles of a Cryptographic Heist) was made outlining an approach to “stealing” the keys from certain HID encoders for the iCLASS SE platform. While much of the talk goes way over my head, it seems like the standard keys for ICLASS SE & SEOS are vulnerable to the approach outlined. While the impact to most should be small, and HID had added iCLASS SE to its legacy product range some time ago, this should serve as a timely reminder of the importance of using high assurance credentials (PIV/CAC/TWIC) in your high security areas. FIPS 201 credentials offer a higher level of security when utilizing the PKI built-in to the platform and supported hardware & software that ensure the credentials are not cloned (or tampered) and have not been revoked by the issuing agency. https://buff.ly/3AzJkul

Physical and Logical Convergence through Design The Cybersecurity Infrastructure Security Agency (CISA) released guidance on the topic of Convergence for federal agencies in 2019. Physical Security and IT departments are increasingly recognizing the reality of converged threats. The traditional separation between these two domains has often led to isolated management of vulnerabilities, which might seem manageable on their own. However, when malicious attacks or simple oversights bridge these gaps, the risks can escalate dramatically. As Dark Reading’s Thomas Kopecky says: “Physical security and cybersecurity are intrinsically connected, and it is no longer effective to manage these threats separately. Cyber-physical incidents can quickly lead to physical harm, destruction of property, environmental disasters, and worse.” To address today’s evolving security challenges, Physical Security and IT departments need to better align their budgets and objectives. For example, the Department of Defense (DoD) has made strides in this direction by investing in integrated security systems that combine physical access controls with cybersecurity measures. This alignment is crucial for reducing risks while maintaining convenience and ensuring compliance with company policies. Advanced converged technologies, such as biometric access controls and real-time monitoring systems, can aid in managing these risks. However, the ultimate responsibility lies with security professionals to chart the right course, integrating both physical and cyber security measures to safeguard their organizations effectively. Here is an example of a physical access breach leading to a logical access breach as completed by an ethical penetration testing company. “I went into the manager’s office and assumed the role of, “I’m here with the help desk. We’re trying to make the network faster.” He escorted me to every machine, and I did a 100% compromise of every machine in that branch, including the wire transfer computer and the network servers. He gave me full access to everything, and he walked with me to do it.” Jayson E. Street, Secure Yeti. Solution: To overcome these challenges, federal agencies can implement a converged security strategy involving the following key steps: Read the remainder of the article and recommended solutions here:

NIST Revises SP 800-73 and SP 800-78 Next month will mark the 20th anniversary of President Bush signing into law Homeland Security Presidential Directive-12 (HSPD-12) on August 27, 2004. The directive transformed identity management for federal employees and introduced the Personal Identity Verification (PIV) credential. A few years later FIPS-201-1 was established to meet the security and inoperability goals of HSPD-12. As a reminder that FIPS 201-1 is a living document, the National Institute of Standards and Technology (NIST) continues to revise the standard and its associated Special Publications.? FIPS 201-1 has been revised two times. The current standard is now titled FIPS 201-3. On July 15, NIST published SP 800-75-5 “Cryptographic Algorithms and Key Sizes for Personal Identity Verification” to align with the revised standard. This document is more cerebral than most access control providers will ever need to wade through. The software developers at Identity One will be doing that deep dive for its clients. However, I was drawn to an identified major change that noted “additional use of facial recognition for general authentication.” Could this be another step toward the US Federal Government becoming comfortable with Facial Recognition Technology (FRT)?

Reminder: TWIC Cancelled Card List has moved One of the most critical, or at least most visible elements of TWIC validation revolves around the TWIC Cancelled Card List (CCL), a CSV file published by the TSA daily that defines which TWIC credentials have been cancelled (lost/revoked/etc.) that should no longer be considered valid for use. For the last several years, the CCL files have been made accessible via a legacy URL and a new URL, but as of the end of June, the legacy URL has finally been retired. For self-hosted FIPSlink sites you can confirm your system is using the correct URL by following the steps in this FIPSlink Knowledge Base. For FIPSlink Cloud customers, this setting is managed for you and is already up-to-date.

Handheld CAC / PIV / PIV-I / TWIC Registration Validation and registration of CAC /PIV / PIV-I / TWIC credentials into an access control system via FIPSlink has never been easier. Facility personnel can now register card holders with an Android based handheld device in addition to a windows-based PC or laptop. FIPSlink performs the validation / authentication of the credential and the cardholder and upon successful validation sends cardholder information to the access control system directly from the handheld. Unregistered cardholders can be validated and registered into FIPSlink and your facility’s access control system anywhere onsite or offsite. Register at a gate or guard shack. Register TWIC holders at a local union hall. Offer additional registration areas at the security office. With CAC/PIV/PIV-I/TWIC registration available on handhelds, your facility decides the when and where of making registration faster and easily accessible. FIPSlink CAC / PIV / PIV-I / TWIC registration is available on Android based hardware from our partners at Coppernic, Idemia, HID, Credence ID, and Iris ID.

Introducing Share Istre: North Region Sales Manager at Identity One Hello! I’m Shane Istre, the new North Region Sales Manager at Identity One. My region covers the Northeast, west all the way to Chicago and South to Maryland. I am positioned well for this role at Identity One. As an ARMY intelligence officer part of my focus was physical and logical security. I was able to practice these skills in real time during my combat tour in Baghdad. I was also an Army instructor, focused on counter terrorism leadership training for Homeland Security and the Louisiana National Guard. Additionally, I helped write some of the emergency response plans for critical infrastructure throughout the US as a contractor to FEMA. This experience gives me a big picture sense of security and access management and its importance to homeland security as well as an understanding of federal funding and policy development in this space. In addition to my security experience, I bring significant project management experience. I have a PMP certification. I’ve helped to design and implement software for the last ten years as an agile Product Owner for customers at the Enterprise and federal level. This gives me the ability to identify new features and requirements in the field and to translate them accurately for our internal team. Please reach out if you have any questions about FIPS-201, FICAM, or the TWIC final rule. If you are with a Physical Access Control System (PACS) or dealer/integrator, I am available to provide sales support during your meetings with end users who need information about any of our products and I’ll be bringing opportunities to our partners to work on together. I’m here to help so do not hesitate to contact me as the need arises.

Visit Us at ISC West! Genetec Booth #13062 Learn about Identity One FIPSlink for Access Control, PIV/PIV-I Issuance and Visitor Self-Service Kiosks at the ISC West trade show in Las Vegas, Nevada from April 9-12, 2024. Visit our partners Genetec Booth #13062 or contact Trent White [email protected] or 470.338.7453 to schedule a meeting. Identity One has created the next generation of FIPS 201-compliant software for mobile validation and registration to PACS (Physical Access Control Systems). As a FICAM certified solution, FIPSlink from Identity One registers and validates CAC, PIV, PIV-I, TWIC and CIV credentials for U.S. Federal civilian agencies, the Department of Defense, Ports and Harbors, the Chemical Energy Critical Infrastructure Sectors and Defense Contractors. FIPSlink use cases include: Access control and access verification from handheld devices for CAC, PIV, PIV-I and TWIC cardholders with real-time access communication from handheld to PACS and offline local cache decisions Contactless biometrics enrollment (Face, Finger and/or Iris) and registration of CAC, PIV, PIV-I and TWIC into PACS Commercial card (HID iClass, HID SEOS, MiFare Classic, MiFare Desfire, Proximity etc) in PACS linked as a derived credential from a CAC, PIV, PIV-I or TWIC with all association validity Contactless biometrics with CAC, PIV, PIV-I or TWIC at time of access with Wiegand or OSDP to PACS panels FICAM certified registration and validation of CAC, PIV and PIV-I cards into PACS Kiosk for Self Service Temporary PIV issuance for employees and contractors that have forgotten or lost their original PIV card automatically registered into PACS Kiosk for Visitor self-service PIV Registration and notification to host that guest has arrived and registering into OnGuard and assigning visitor access level into PACS Logical and physical convergence linking logical access control and physical access control via PACS Mustering on mobile handheld devices for CAC, PIV, PIV-I and TWIC cardholders reporting into PACS PIV Card issuance (Card Management System) for contractors, interns, and short-term employees automatically registered into PACS Temporary PIV-I card issuance for employees needing a short-term replacement for a lost card or employees that have not yet received their credential (issued cards support logical and physical) automatically registered into PACS TWIC QTL certified registration and validation of TWIC cards into PACS Visitor PIV cards for use by Visitors (HID TAC equivalent)

Visit Us at ISC West! AMAG Technologies Booth #14089

Visit Us at ISC West! IDENTIV Booth #12089 Learn about Identity One FIPSlink for Access Control, PIV/PIV-I Issuance and Visitor Self-Service Kiosks at the ISC West trade show in Las Vegas, Nevada from April 9-12, 2024. Visit our partners IDENTIV Booth #12089 or contact Trent White [email protected] or 470.338.7453 to schedule a meeting. Identity One has created the next generation of FIPS 201-compliant software for mobile validation and registration to PACS (Physical Access Control Systems). As a FICAM certified solution, FIPSlink from Identity One registers and validates CAC, PIV, PIV-I, TWIC and CIV credentials for U.S. Federal civilian agencies, the Department of Defense, Ports and Harbors, the Chemical Energy Critical Infrastructure Sectors and Defense Contractors. FIPSlink use cases include: - Access control and access verification from handheld devices for CAC, PIV, PIV-I and TWIC cardholders with real-time access communication from handheld to PACS and offline local cache decisions - Contactless biometrics enrollment (Face, Finger and/or Iris) and registration of CAC, PIV, PIV-I and TWIC into PACS - Commercial card (HID iClass, HID SEOS, MiFare Classic, MiFare Desfire, Proximity etc) in PACS linked as a derived credential from a CAC, PIV, PIV-I or TWIC with all association validity - Contactless biometrics with CAC, PIV, PIV-I or TWIC at time of access with Wiegand or OSDP to PACS panels - FICAM certified registration and validation of CAC, PIV and PIV-I cards into PACS - Kiosk for Self Service Temporary PIV issuance for employees and contractors that have forgotten or lost their original PIV card automatically registered into PACS - Kiosk for Visitor self-service PIV Registration and notification to host that guest has arrived and registering into OnGuard and assigning visitor access level into PACS - Logical and physical convergence linking logical access control and physical access control via PACS - Mustering on mobile handheld devices for CAC, PIV, PIV-I and TWIC cardholders reporting into PACS - PIV Card issuance (Card Management System) for contractors, interns, and short-term employees automatically registered into PACS - Temporary PIV-I card issuance for employees needing a short-term replacement for a lost card or employees that have not yet received their credential (issued cards support logical and physical) automatically registered into PACS - TWIC QTL certified registration and validation of TWIC cards into PACS - Visitor PIV cards for use by Visitors (HID TAC equivalent)