Monday, January 21, 2013

NSTIC GETS SKETCHY: One mainframe to Google your DoD authenticated TWIC card?

A snub from Dept of Defense PKI admins provoked Biometric contractors to out an online authentication transition.

BTC -  In a statement released last week, the International Biometrics and Identification Association (IBIA) quipped it "was unclear" why the Dept. of Defense was trying an interagency authentication with the TWIC cards.  The TWIC card program has suffered massive backlogs as a TSA regulated ID for waterway mariners and commerical drivers for port access. The hobbled program has been declared almost dead after struggling for years to reach technical goals.

According to WND, the DoD scolded the TSA program for not having it's port authentication ready for PKI "trusted networks". The TWIC program's costs were reviled as fraud and waste facing the public at $420 million in federal business stakes.  As Washington veers so close to the fiscal cliff, there may be an appropriations competiton for domestic port security between the two agencies. This means business opportunity lost if the TWIC program does not survive.

"One of the missions of trade groups is to promote their trade. There are hundreds of millions of dollars on the table and at risk if the biometric readers required by legislation are not implemented. The information provided may be right on the money and appropriate in correcting misperceptions. However, this is coming from a perspective of firms who stand to win business with the implementation of TWIC," said Eric Holdeman, port security blogger at Emergency Management.

According to a federal register notice confusion ensued over an "Electronic Transportation Acquisition". The notice pointed to a shift in military port authority security to a PKI key applied to transportation worker access.
"The DoD PKI office has determined that the Transportation Workers Identification Card (TWIC) PKI certificate cannot be used to authenticate users for access to DoD systems."
If one were to presume TWIC cards had PKI applications running in current conventions, they would simply need to work on syncing the two so they would work.

The IBIA had an answer to why the PKI didn't work.

"[The] reason behind the DOD policy change was that DOD realized that the TWIC card was not cross-certified with the Federal Public Key Infrastructure (FPKI), as required by DOD policy. The FPKI is administered by an interagency body set up to enforce digital certificate standards for trusted identity authentication across federal agencies and between federal agencies and outside bodies, like universities, state and local governments, and commercial entities.

The TWIC card was never intended for use in this type of on-line federated identity authentication infrastructure,"says Tovah LaDier, IBIA Managing Director.

That's true, but that's not necessarily the end of the intention for biometric adoption in ID cards.

"So 2 PKI vultures walk into a bar..."
IBIA stakeholders are among many players in NSTIC plenary talks for just such an authentication system. They convene with Secured ID coalition members, RFID proponents and others who want to see FICAM's murky interagency prototype expanded to general public's online markets using typical Google and Facebook log-ins.

According to NSTIC's guiding principles, complications for both public and private authentications may arise if a global authentication player, like the Dept of Defense decides to rule out one type of log-in entirely.  NSTIC has been the White House's answer to overreliance on insecure passwords, like myname123. Without a password, you may eventually be reliant on a universal authentication module, like Disqus or Open ID, to let you in to online tools you use every day, like web mail. What if Google could be egged on by governments to buttress a universal online identification scheme this way?

Google's sudden decision to wage war on the password smells a bit like an Internet-based final solution. They are promoting one primary external, scannable authentication card for every digital interface: laptops, smartphones, applications, cloud programs etc.  If the 4 to 5 most used log in portals online narrows or converts your log-in options to a government issued biometric ID for access then we have arrived early at our One Mainframe society. The IBIA would be happy, not outraged, as they pretended to be earlier, at the notion a biometric TWIC card would be used online. They want biometrics for everyone.

No comments: