Are we on the verge of a revolution in authentication in this country? Many vendors and analysts feel that the impending implementation of the governments Homeland Security Presidential Directive-12 mandate could lead to one.
Heres the actual presidential directive.
The government goals in this effort are to create a uniform and secure form of identification for federal government personnel.
A smart card is a good choice for this, as its flexible enough to include both visible information, such as a photograph, and digital information, such as fingerprints, a digital copy of the photo, It can also carry specific information for some people and not for others.
Smart cards have been around for some time now. They have been widely used in Europe in a variety of applications; those SIM (Subscriber Identity Module) cards you put in a GSM phone are smart cards. In the United States, the most widespread use of the may be as encryption keys for DirecTV.
In Europe smart cards have been used in ways that would seem fantastic here; in Germany, smart cards are the official identification for the national health care system since 1993.
Private companies are accepting the cards for online transactions and banking, a great convenience to be sure, but a development that would raise fears in the United States. Elsewhere around the world, they are used for drivers licenses.
Why have smart card applications not caught on in the United States, at least not to the degree that they have elsewhere? Its not all about privacy. There has been plenty of industry backing for them, not least from Microsoft (although as a business network authenticator, not for consumers).
The cost issue here in the United States seems to be predominant. Many believe that a “contactless” solution (for example, RFID-based) will make a better business case.
This is odd, since RFID solutions have raised so many more privacy issues and seem, at least at first glance, to be so much more prone to privacy abuse.
Contact smart cards have a set of physical contacts and must be inserted into a reader (see the nearby image, and the gold contacts on the card itself).
Contact smart cards have a number of advantages that can also be spun as disadvantages, depending on your point of view. For instance, they dont have batteries; the power is supplied by the reader through the contacts. This also gives them form factor advantages over contactless cards.
Contactless smart cards use RFID to communicate with readers, but arent brain-dead transmitters of their storage like many RFID devices. They can be subjected to security protocols to combat casual scanning.
Another government application blazing the smart card trail is public transportation systems.
The Washington (D.C.) Metropolitan Area Transit Authority SmarTrip card is a contactless smart card.
The appeal is obvious; if you use the New York City subways, you know the aggravation it can sometimes be to get your MetroCard to swipe successfully, or to wait behind someone who is having a hard time with theirs. The SmarTrip just reads as you walk by.
Industry momentum notwithstanding, I dont see RFID solutions reaching many sensitive applications here in the United States because of privacy concerns.
Of course, we will be seeing them in passports soon, and well see whose predictions prove true about that.
RFID solutions do raise the potential for abusive reading by third parties and the use of that data for unsavory purposes.
I can imagine a major insurance company using smart cards for ID, or a state using them for drivers licenses, but I cant imagine contactless ones being accepted.
I have to admit that what makes me most leery of smart cards in the United States is that their adoption is being driven by government use.
Im not a really hard-core worrier on privacy issues, I just dont trust government, and it seems unlikely to me that they would have hit on the right solution where private market forces declined it.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at email@example.com.