Monday, November 26, 2012

Just One Fingerprint Between You and the Caribbean




World’s First Multilateral eID Border Crossing Program

Thought to be the most effective eID implementation ever implemented, CARIPASS (made by Caricom) is a travel card that will enable faster and more secure travel between Caribbean countries. First projected in 2009, CARIPASS has 15 governments in the Caribbean Community participating in the program, enabling this more efficient travel option throughout the entire region. The governments include that of: Antingua and Barbuda, Barbados, Dominica, Grenada, Guyana, Jamaica, St. Lucia, St. Kitts and Nevis, St. Vincent and the Grenadines, and Trinidad and Tobago.

How CARIPASS works is that eligible travelers enroll at local immigration offices where their facial image, as well as two fingerprint scans are recorded and stored. This data will then be electronically transferred to an ID card (shown below). While traveling, these travelers will use self-service border crossing gates. Here, travelers will insert their Caricom Travel Card, which will then ask them to verify their biometric data by completing a fingerprint scanning. And then, viola! The traveler has passed border controls and is in the gate. 



In order to be eligible for CARIPASS, a traveler must be at least 16 years old, possess a passport and be a citizen of a CARICOM nation. As advertised by Caricom, CARIPASS caters to the frequent traveler, the “no hassle” traveler and the “pressed for time” traveler.

Once one applies and is granted a CARIPASS, the travel card will replace the passport completely when traveling within the Caribbean. In addition, a CARIPASS is a costly travel card. For a one-year pass, there is a non-refundable fee of $150, and for a three-year pass, there is a non-refundable fee of $250. Furthermore, this fee is in addition to the cost of a passport being that a passport is required in order to apply for the CARIPASS. And for a region largely composed of developing countries, these costs are not very reasonable, or convincing for travelers.

Due to this issue, and to the inferred lack of political direction at Caricom, the company has been postponing this project since 2009, when it was first proposed. Regardless of these issues, however, Caricom has now purchased and installed all of the equipment necessary to implement this program. In which case, we can now firmly predict a sooner-than-later date for the system’s implementation. 

Once implemented, CARIPASS will be the world’s first multilateral eID border crossing program.

Sunday, November 25, 2012

A New iPhone Case that Protects More than its Glass Screen



The need for iOS device security is no new concern, but creating a security enhancement for Apple devices is definitely amongst new breakthroughs.

Precise Biometrics, a technology company creating smart cards and fingerprint recognition to better security, has created a new innovation; Tactivo. Physically, with a size of 5.17” x 2.47” x 0.6”, Tactivo is a sleek iPhone case maintaining access to iPhone buttons and connectors with the ability to synchronize and charge without the case’s removal.

Aside from its Otterbox-like characteristics, Tactivo features a combination of built-in smart card and fingerprint readers, in addition to a clear smart card cover to display government or other photo-embossed access credentials, for iOS devices like the iPhone 4, the iPhone 4S and, as of this upcoming summer, the iPad.


Although Tactivo will easily be appealing to the general public, its price tag of $249 per case shows its target consumers to be agencies and companies whom have data far more expensive worth securing. In fact, this idea is projected to be a breakthrough for government uses. Tactivo supports major U.S. government credentials, including the support for PIV, PIV-I, CAC and TWIC cards.

“The initial market for this device is aimed toward government to allow them to meet the 
demand of Homeland Security Presidential Directive 12, a directive stating that all federal 
government workers and contractors must utilize a personal identity verification card for 
logical and physical access, along with DOD which uses a common access card for access,” 
stated Harris. “On mobile platforms there previously was no way for the U.S. government to 
utilize the hardware token on an iOS product.” Michael Harris, CTO for Precise Biometrics.

With this new smart case, iPhone apps can make use of novel authentication options, like password replacement (today’s passwords, that is). Furthermore, with this new smart case, more passwords and sensitive information can be securely stored into one’s iPhone.

“What drove the development of this product was the need for strong end-point authentication 
in a mobile context…The product expands data and the network beyond the premise of an 
enterprise or an office, but what is technologically specific to the product is the miniaturization 
of both smart card and biometric sensor technology. This product pushes the envelope from 
flatbed biometric sensors to low-power and low-weight swipe sensors that can be 
used in a mobile environment.” Michael Harris

Precise Biometrics plans to release new versions to support new iPhone versions and the iPad. Further, the firm expects to extend Tactivo to more smartphone brands.

Sunday, November 11, 2012

Searching for Better Security Solutions


Two-Factor Authentication vs. Biometrics Authentication


More often than not, the argument over the implementation of biometric authentication brings us to a counter-solution: two-factor authentication (TFA, for short). Many argue that TFA allows for greater security (than the typical single-password authentication), without needing very much of a user’s personal information. However, others do not find TFA’s “additional security” significant enough for TFA to constitute as a valid security improvement, bringing us to the solution of biometric authentication. In this article, we will examine and compare the two options: two-factor authentication and biometrics authentication.

Let’s begin by pointing out that TFA’s concept is not entirely new. We have all used it, for example, when using a debit card: both the debit card and a PIN number are required to retrieve one’s banking information. Simply put, TFA, also known as two-step verification, is a means of authentication that requires two of the following authentication factors: a knowledge factor (something the user knows), a possession factor (something the user has), and an inherence factor (something the user is). Google, PayPal and DropBox have recently implemented this system. Users can elect to have a two-step verification system to protect their accounts; they first login with their username + password, and then are sent a text message with a verification code that is required as a “second password”.


Historically, TFA has been viewed as overly complicated, requiring too many moving parts and results in a less efficient, less expedient Internet experience. This also requires users to have their possession factor (their cell phones) at all times. In addition, System Administrators hate the overhead on their systems and the extra points of failure.
These factors (as well as others) have hindered the growth of TFA, regardless of its additional security.
On the other hand, Jeff Atwood, a software developer, author, and co-founder of the programming question-and-answer site Stack Overflow explained:
“Yes, it’s a bit cumbersome, but this process is inconvenient in the same way that bank vaults and door locks are. The upside is that once you enable this, your e-mail becomes extremely secure.”

Now we can compare TFA to at a different solution: biometric authentication. Relative to TFA, biometric authentication is more efficient and expedient. In theory, the system is great being that you can’t “lose” your fingerprint or retina, you can’t forget it, and it is unique to you. Its uniqueness, however, can be seen as both a pro and a con.


While it does allow for great security in that each user has a distinct “password”, it also allows for not-so-great security in that once that fingerprint or retina scan is lost…you’re screwed. Furthermore, current scanners cannot distinguish whether fingerprints are from a real finger or an artificial one. In which case, if a hacker really wants to find another person’s personal data, he can most likely artificially recreate his/her fingerprint. (We have to also realize that this sort of hacking is significantly more difficult than finding one’s password).

Simple question: what do you think? Is the additional security of biometric authentication worth the risk of possibly losing data as crucial as your fingerprint? Should we avoid such a possible dilemma and stick with two-factor authentication, regardless of its inefficiency/inexpedience? 

Sunday, November 4, 2012

“Biometric Attendance Will Create Slavery"



"The VC has received feedback from students saying that a large number of 
teachers still do not attend classes regularly. The biometric system 
is necessary to make them fall in line," a senior DU official said.

At Delhi University in Delhi, India, teachers have been noted for their significant lack of attendance. Just this past Saturday, the executive council authorized the vice-chancellor to take appropriate steps in solving this issue. Consequently, the vice-chancellor plans that by January 2013, a biometric attendance system will be put in place for the teachers.

This system has already been in place for all staff other than teachers for a few years now. And in 2009, it was suggested that teachers would take part in the system as well. In response, after significant opposition by the teachers, the idea was disregarded.



By now, however, the teacher’s punctuality is too great of a concern to continue such behavior. The highest decision-making body of the university discussed the issue and passed the consensus permitting the VC to decide on the implementation of the system; it was announced that the attendance system should be introduced to ensure that a teacher "adheres to the teaching hours and days prescribed by the UGC (University Grants Commission) and the university rules". 

The system requires teachers to “sign in” using a fingerprint or retina scanning which will match the scan with the records in the databank.

Due to this decision, the teachers belonging to the Academics for Action and Development group appealed to the VC not to go ahead with the new system. For three weeks, they have been protesting outside of the VC’s office, explaining that:

“The biometric attendance will mark the beginning of the era 
of slavery for the teaching community where teachers 
will be targeted and hounded by the Heads and the Principals.”

This argument may be exaggerated...some may even say foolish. After all, there should be no problem with a school being able to “target” whether or not teachers are in their classes. The teachers should be there in the first place. However, as a separate argument, what authorizes the school to hold such personal information about faculty like a fingerprint or retina scanning? Like most anti-biometric authentication arguments analyze, what if such a system is hacked into?