by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : June and July 2016
AUTHENTICATION 32 GCN JUNE/JULY 2016 • GCN.COM Another advantage of using smart- phone-based biometrics for authenti- cation is that the scans never leave the device. Agencies can easily issue new passwords to employees if the old ones are compromised, but fingerprints and eyeballs are significantly more difficult to refresh. “By storing those attributes on the device, you don’t have a honeypot of millions of records,” said Patrick Clanc- ey, senior director of federal programs at MorphoTrust USA. Nok Nok Labs CEO Phillip Dunkel- berger agrees that putting trust in a purely software-based solution is risk- ier, and the hardware component that identification cards offer is a signifi- cant advantage. In addition, the latest smartphones have built-in hardware- based security features, Dunkelberger said, and that “secure element hard- ware...is the most secure way you can do it.” Clancey said adoption of biometric security is likely to come first in the pri- vate sector. “Once it is proven and com- moditized, you’ll see adoption by state, federal and local agencies,” he added. Yet although mobile-based biomet- rics are a great addition to security, they should not be the only component, Pre- scient Solutions CIO Jerry Irvine said. “There’s still a lot of concern about the security of mobile devices because they’re still consumer-grade devices,” he added. CONTEXT-BASED AUTHENTICATION With multiple forms of authentication to improve security, verification no longer has to be annoying and intru- sive for users. Instead, “people are looking at con- textual-based indicators of authentica- tion or trust,” Clancey said. Those indicators are passive, which means the user isn’t even aware the verification is happening. For example, an employee’s location when he or she logs in could factor into the authenti- cation process. If an employee is at his or her work computer, for example, that’s one lev- el of authentication. Logging in from home is another. Logging in from, say, North Korea might lower the trust level of that particular connection. Another type of passive authentica- tion verifies employees by the fact that they have their phones with them. Al- though by itself this is no guarantee of identity, it does make it more like- ly that individuals are who they say they are. A person’s walking gait or typing pat- tern can also help verify users, without he or she having to jump through any additional hoops. “The general trend that we see... is toward more passive, contextual au- thentication,” said Paul Madsen, prin- cipal technical architect at Ping Iden- tity. “Rather than having the user go through this overt, explicit login cer- emony, our systems get better at being able to recognize the user passively.” Only when the risk profile requires it would employees be asked to take additional steps, such as a biometric scan of some kind, he added. BEHAVIOR-BASED AUTHENTICATION Even with context-based passive au- thentication backing up the biomet- When it comes to issuing credentials to employees, government agencies benefit from an additional authentication step that is not well appreciated: At some point in the hiring process, a trusted human resources manager or supervisor physically meets with new hires and verifies their identification documents. When providing online services, however, that personal touch is not always possible. And even if a credential is issued via a reliable channel, if it’s only used once a year there’s a good chance an individual will lose it or not notice it was misplaced until months later. Experts say the answer is to base the security credential on something that a person would be careful not to lose and would quickly replace if they did — such as a primary payment card, a mobile phone or a driver ’s license, said Andre Boysen, chief identity officer at SecureKey Technologies. And, in fact, smartphones and driver’s licenses are increasingly being used to authenticate people when they access government websites. In Canada’s British Columbia, for example, driver ’s licenses include an EMV chip, the same kind of secure technology found in the latest credit cards. “ EM V is global, and it’s proven, low-cost and very trustworthy,” Boysen said. To log into a system that requires maximum proof of identity, a user taps his driver ’s license against his phone. The system checks that the license has not been Can biometrics support better citizen services? SHUTTERSTOCK 0716gcn_030-033.indd 32 6/2/16 12:36 PM
August and September 2016