- 1 -

Identity Management for Large e-Government Populations

J.R. Reagan

Gordon Hannah

BearingPoint, Inc., 1676 International Drive, McLean, VA USA
jr.reagan@bearingpoint.com
gordon.hannah@bearingpoint.com



Abstract: Large scale Identity Management and credentialing projects require significant planning, due to
the myriad of moving parts and components. The global interoperability of identification, authentication and
digital signature functions supporting Identity Management for Large Populations add to the significant
challenges of implementation. Due to the many moving parts involved in Identity and Credential
Management projects, systems must be carefully designed, implemented, and managed. At the core of these
projects is a standardized, uniform credential that is becoming increasingly capable of providing a strong
identity assertion, as well as issuing authority verification. Further, additional consideration must be given
for strong identity proofing and vetting coupled with background check capabilities to have a complete, end-
to-end system.


Keywords: Identity Management, Security, Biometrics, e-identification (e-ID), Smart Cards, Public Key
Infrastructure (PKI)


- 2 -
Table of Contents
1. Overview ..................................................................................................................................................... 3
2. Challenges in Implementing Large-Scale Identity Management for eGovernment ................................... 3
2.1 eIDs Legal & Societal Impact ............................................................................................................. 3
2.1.1 Societal Implications in Europe & the US. ................................................................................. 3
2.1.2 Legal Implications in Europe & the US ...................................................................................... 3
2.2 eID Regulatory Implications in Europe & the US ................................................................................ 4
2.2.1 The effect of eID in Europe & the US ........................................................................................ 4
2.2.2 Verification of eID ...................................................................................................................... 5
2.2.3 eID & Data Protection ................................................................................................................ 5
2.2.4 eID Content & Legal Liability .................................................................................................... 5
2.2.5 eID Cancellation/Revocation ...................................................................................................... 5
2.2.6 Global Interoperability ................................................................................................................ 5
2.3 Standardization ..................................................................................................................................... 5
2.3.1 Smart cards ................................................................................................................................. 6
2.3.2 Biometrics ................................................................................................................................... 6
2.3.3 Digital signature .......................................................................................................................... 7
2.3.4 ePassport/Visas ........................................................................................................................... 8
3. Implementation Best Practices .................................................................................................................... 9
4. Characteristics of Successful Identity Management Projects ................................................................... 10
5. Summation ................................................................................................................................................ 12

- 3 -

1. Overview
The global interoperability of identification, authentication and digital signature functions supporting Identity
Management for Large Populations add to the significant challenges of implementation. Due to the many
moving parts involved in Identity and Credential Management projects, systems must be carefully designed,
implemented, and managed. At the core of these projects is a standardized, uniform credential that is
becoming increasingly capable of providing a strong identity assertion, as well as issuing authority
verification.

A uniform credential incorporates biometric and cryptographic technologies; the biometrics serve as the
strong linkage between credential and the credential holder as well as to the applications; the cryptographic
keys operate as the method of validating the credential to applications that invoke higher levels of
authentication. Physical and logical application demand necessitates that robust identity assertion and
verification succeed in both on and off line environments.

Various programs inside e-governments are now evolving to add biometric authentication, as well as
integrating physical and logical access. These requirements involve unifying identity data from disconnected
systems and creating a system of distributed enrollment for smart cards. People are an inherent part of a
credentialing system and take on a number of roles, including enrolment, performance of background checks,
adjudication, and the personalization & issuance of credentials. Implementing an end-to-end identity
proofing and credentialing system must maximize the use of its human factor to effectively provide the
checks and balances to prevent credentialing errors (providing credentials to the incorrect individual, or
fraudulent identity).

Documented, and well-defined, processes should support identity management and verification systems.
Additionally, potential scenarios must be considered and addressed e.g., inability to capture good quality
biometrics, providing a notification and appeal process for denial of a credential, and presentation of
fraudulent identity documents. Without strong, well-defined, and consistent business processes, bad actors
will quickly find and successfully target the systems weakest link.
2. Challenges in Implementing Large-Scale Identity Management for eGovernment
2.1 eIDs Legal & Societal Impact
2.1.1 Societal Implications in Europe & the US
The EUs approach focuses on creating a framework for developing societal and technological standards
prior to introducing biometric based systems. Member States will adopt the approved standards that are
consistent with each states individual legal and legislative requirements as well as their citizens civil liberty
expectations. (Most 2004)

The US eID approach has focused on developing the technologies necessary to deploy large-scale eID
programs, with regulatory requirements to follow. This approach has resulted in controversy from privacy
groups that are concerned the necessary security to protect information is insufficient, as well as would allow
for real-time tracking of individuals. In response to these concerns, the US government has stated, the
government is working on solutions to protect the integrity of the information, but rapidly enabling
encryption technologies could result in global interoperability issues. (eGovernment News, 2004)
2.1.2 Legal Implications in Europe & the US
EU and its Member States have defined legal and societal frameworks, for eID and incorporating biometrics,
which conform to data protection laws, address citizen acceptability, as well as societal impacts rather than
setting out a broad vision then asking commercial enterprises to provide the methods and details.

There has been emphasis on ensuring that the use of biometrics is appropriate and proportional as well as
adequately, and cost effectively, meeting the core identification-related security requirements. While this
approach tends to initially slow the process, it addresses fundamental issues and avoids leaving crucial
- 4 -
decisions in the hands of the commercial sector-- decisions that could become the subject of public scrutiny
and potential legal battles.
2.2 eID Regulatory Implications in Europe & the US
2.2.1 The effect of eID in Europe & the US
European Union (EU)
eID initiatives have national level legal and regulatory impact; because the government often issues
identification documents necessary for in-person proofing. In addition, privacy concerns need to be
addressed. The integrity of the secure linkage between the eID holder and the information on the e-ID is a
crucial element so a 3
rd
party can accept the credential as valid. In response, standardization initiatives are in
process regarding the:

! Requirements necessary to issue eID credentials
! Documents necessary for issuance
! Process stages requiring the applicants personal appearance
! Supplemental evidence for proving and individuals identity

Europe has introduced detailed legislation based on national law that compliments the European Economic
Areas (EEA) national law. The new eID legislative requirements incorporate the regulatory mandates that
apply to obtaining a visual paper ID. The justification being that acquiring an eID should not be easier than
the application process for a paper based ID. Existing regulations offer an initial framework for the creation
of new legal requirements for eID initiatives. A solution, which has been discussed, is incorporating the new
eID/AIS functional requirements into the existing Directive on Electronic Signature. However, there is a
possibility that new eID specific regulations will be necessary. (CEN/ISSS Workshop eAuthentication, 2004)

Fingerprint and facial images are anticipated to be mandatory features in EU passports. Following the EU
councils adoption of a new regulation relating to biometric data, member states will have 18 months, from
December 2004, to incorporate facial images and three years to implement fingerprint images in ePassports.
The UK and Ireland have the option to decline, with Denmark reserving the right to consider the proposal for
six months, before incorporating facial image or fingerprint biometrics.

EU deadlines could mean that Member States may not meet the U.S. deadline of October 26, 2005 for
biometric passport issuance. Therefore, the EU will look to the U.S. to extend the deadline to allow its
citizens to retain visa-free travel status. Furthermore, incorporation of digital fingerprint images within the
passport is likely to be controversial. However, inclusion of biometric data is directly related to the ICAO
standard requirements, which specify that fingerprint or iris images are optional, whereas facial images are
mandatory. (Elsevier 2005)


United States (US)
The US has not been as proactive as the EU with respect to the introduction of eID legislation. However,
Homeland Security Presidential Directive 12 (HSPD12), released in August 2004, and the corresponding
FIPS 201 mandate, provides a framework for eID compliance across Federal agencies and requires:

! All Federal agencies to standardize the quality and security of forms of identification used
to gain access to secure government facilities where there is potential for terrorist attacks.
! Mandates a Government-wide standard for secure and reliable forms of identification
issued by the Federal Government to its employees and contractors (including contractor
employees).

HSPD12 is designed to address post 9/11 concerns, as well as enhance security, increase Government
efficiency, reduce identity fraud, and protect personal privacy. The FIPS 201 mandate accompanies HSPD12
and provides standards for the Smart Card interface & technical (SP800-73), and biometric (SP800-76)
specifications. Additionally, FIPS 201 will incorporate cryptographic specifications (SP800-78) when
released later this year.
- 5 -
2.2.2 Verification of eID
Regulations are in place or underway the EU and the US to address eID content. However, many questions
remain. At the forefront -- can current regulations be applied to eID initiatives that ensure the link between
the holder and the credential? Further, how can the eID verification problem be solved at the international
level?

Currently, there are no formal requirements relating to signature verification, only recommendations that are
specified in the EUs Electronic Signature Directive, as well as ICAO guidelines. Furthermore, the debate
continues over concerns surrounding content, the information to be provided to 3
rd
parties, and for what
purpose(s). There is a consensus regarding ePassport initiatives; information contained in ePassports will
remain constant with information held in paper based Passports but will add fingerprint and facial recognition
biometrics. (CEN/ISSS Workshop eAuthentication, 2004)
2.2.3 eID & Data Protection
Protection of data is directly related to privacy concerns surrounding eID initiatives. However, there are
several directives that address eID data protection. The mandate most frequently referenced regarding eID
data protection is the Electronic Signature Directive. This directive gives the credential holder the right to
determine if the information contained in the eID will or will not be made public. However, the holders
decision has significant impact on the intended use of the credential. (CEN/ISSS Workshop eAuthentication,
2004)
2.2.4 eID Content & Legal Liability
The use of eIDs for verification of identity opens the question of liability what party should be held
accountable for false information in the credential? The Electronic Signature Directive addresses this issue,
for the certificate provider, by providing a revised burden of proof. However, uncertainty remains regarding
the applicability of the ESD directive to eID issuers. (CEN/ISSS Workshop eAuthentication, 2004)
2.2.5 eID Cancellation/Revocation
eID protection and revocation procedures are necessary to address cancellation of the credential if it is lost or
In contrast to a paper ID that requires personal appearance, thus limiting the use of the ID, an eID can be used
in absentiaover the internet, and for an extended period of time. Therefore, an effective eID revocation
procedure would allow the real holder to immediately cancel the credential. There has been discussion, in
the EU, regarding how to address revocation concerns; a proposed solution is offering a single revocation
point for a holder to contact for emergency cancellation. (CEN/ISSS Workshop eAuthentication, 2004)
2.2.6 Global Interoperability
The previous sections offer a framework to address the legal issues relating to the implementation and use of
eID. However, the subject of international interoperability to address cross-border trust issues must be
addressed as well. It has been stated that the quickest remedy to interoperability concerns would be in the
form of legal regulation, or contractual market party agreements, with respective Governments providing
guidance. Until the issue of interoperability can be internationally addressed, the interim use of pan
European Interoperability agreements has been suggested as offering a solution. (CEN/ISSS Workshop
eAuthentication, 2004)
2.3 eID & Global Standardization
Until recently, an individuals identity was established through official papers, or because one person
knows the other. World events, as well as the increasing incidence of identity theft have supported the
need for accurate identity verification. Consistent advancements identity management technologies are
responding to world concerns. The result is a transition away from the traditional methods of authenticating
an individuals identity to a method promoting the use of the recent advancements in biometric and identity
management technologies. Additionally, the need for cross-border standardization is becoming a critical
component of eID strategy.

To facilitate faster and secure control of an individual, the ICAO has adopted recommendations as guidelines
for a Machine Readable Transport Document, which incorporates the use of biometrics. Additionally, NIST
- 6 -
and NSAUS Agencies responsible for standards and securityapprove the inclusion of existing digital
signature security standards with the use of biometrics for eID control. To improve the efficiency of the EU
wide visa system the European Commission advocates the use of biometrics for travel documents. Both the
EU and the US are investigating the use of a unified solution that will support non-EU and EU eIDs.
(Eurosmart Whitepaper on Technologies for Identity, 2003)
2.3.1 Smart cards
The U.S has begun to standardize its smart credentials in the Government space. Identity credential
interoperability standards have existed in the U.S. for over four years and are being updated to address
specific HSPD12 requirements, which for the most part, will expand and extend previous specifications.
Additionally, aspects of the U.S. standards have been incorporated into the international (ISO) process. The
challenge for the U.S. will be forming new standards while Government organizations with existing
implementations will require grace periods with backward compatibility allowances to migrate to the new
standards. It is uncertain whether the U.S. standards will conform to those provided by ICAO, as the U.S.
objective is to have stronger identification and authentication standards. Interoperability, on an inter-
Government and International basis, will be crucial to the success of identification and authentication
technologies.

The implementation a new ID system requires the set-up of difficult processes of choice between various
technologies, establishing standards, and the adoption of legal requirements. Policy issues relating to
implementation could from the establishment of agreed upon standards among participating countries to the
degree of authentication required for individuals. Further, card management policies and processes must be
designed and implemented to support secure personal ID applications. A card issuance process must
accurately verify the identity of the recipient at the beginning of the process, and an individuals identity
information must be acquired and securely stored. Subsequent to eID issuance, identity information must be
securely maintained and synchronized among applications and with new, updated information. Furthermore,
the governance and management of the secure personal ID card system must acknowledge privacy issues and
the infrastructure cost associated with system deployment. (CEN/ISSS Workshop eAuthentication, 2004)

Smart card based identification solutions can meet the requirements of a wide range of policies and legal
mandates. Smart cards are a powerful tool for improving the security of any personal identification system, as
well as protecting an individuals privacy rights. A smart card based ID system can support a machine
assisted identification process, limiting the potential bias or judgment errors associated with identification.
Coupled with a secure, privacy-sensitive IT architecture, a smart card based personal ID system can provide
accurate personal identification, protect an individuals personal information, and address the policy and legal
requirements currently being debated.
2.3.2 Biometrics
Biometric standardization is less advanced in comparison to Smart Cards or PKI domain. However, anti-
terrorism programs have caused biometric standardization initiatives to gain strength. Further, the CWA
eAuthentication biometrics offers a means to eliminate the need for to remember different PINS for multiple
applications. ISO/IEC SC 37,a group dedicated to biometric standardization, is very active and has been
producing draft standards at a rapid pace. The most relevant biometric standards are:
! ISO/IEC 19784-1 specification for BioAPI
! ISO/IEC 19785-1 specification for Common Biometric Exchange formats (CBEFF)
Part 1: Data Element Specification
! ISO/IEC 19794-2 specification for Biometric Data Interchange Format
Part 2: Finger Minutiae Data
Currently, the majority of the standards relating to biometrics are under development at the final committee
draft. However, voting is in progress for a number of the completed drafts; it expected that a robust package
of international biometric standards would be released in 2005. (CEN/ISSS Workshop eAuthentication,
2004)
The ICAO is the de-facto leader regarding global standardization of eID processes, and is at the forefront
regarding the issue of biometric standardization. The majority of the worlds countries participate in the
- 7 -
ICAO. Therefore, the organization specifies the standards (multi-part ICAO Doc 9303) for international
travel documents-- including passports, visa and ID cards for travel purposes. Furthermore, ICAO document
9303 will be accepted for full ISO standards (ICAO Doc 9303 is ISO/IEC 7501). (CEN/ISSS Workshop
eAuthentication, 2004)

The ICAO has developed a new technology-working group to decide and define preferred biometric solutions
in the aviation and border control areas. Following are the four ICAO decisions regarding biometric
standardization:

! Contact less chip technology is preferred for Machine Readable Travel Documents (13.56
MHz)
! Facial recognition is the preferred biometric technology for world-wide interoperability in the
border control
! The full picture of the biometric characteristic should be held in the chip (ICAO recommends
32Kbytes of memory for storing biometric images)
! Personal data in the card IC is freely accessible but member states can decide to utilize PIN
protection

The use of standards-based biometric templates in conjunction with credentialing technologies should be
emphasized vice the lowest common denominator of images. Templates provide several advantages over
images including:

! Less storage space needed
! Faster reading and processing times; i.e., performance
! Better security and protection of identity
! Less need for further protection, such as encryption technologies
! More privacy

The EC and US have accepted ICAO biometric recommendations for border control. The US-VISIT program
has influenced countries to rapidly implement e-Passport programs. The US has postponed the original
compliance date of October 2004, for the 27 visa waiver program countries until October 26, 2005.
Additionally, in September 2004 the EU Commission requested a postponement of biometric passport
compliance until late 2006.

Biometric enrollment of all persons visiting the US began on September 30 2004, and fingerprint and facial
biometrics are checked against known terrorist & criminal watch-lists. At this time, it is not confirmed if
database verification processes have been activated. The program was initiated in January 2004 at 115
airports and 14 seaports, since its inception more than 8.5 million non-US nationals have been processed
without long waits, as the checks take an average of 15 seconds per person. (Eurosmart Whitepaper on
Technologies for Identity, 2003)
2.3.3 Digital Signature
The legal framework for digital signature is specified in December 1999s, EU Directive 1999/93/EC. This
directive is technology neutral, and has been used as the foundation for many joint CEN and ETSI
collaborations, for example the CEN/ISSS Workshop eSign. The most applicable digital signature
advancement has been in Area K of the eSign Workshop, which has led to CWA 14890; a part of a series of
standards for secure signature creation devices (SSCDs). (CEN/ISSS Workshop eAuthentication, 2004)

CWA 14890 facilitates interoperability between smart cards from different manufacturers. The CWA
specification allows interaction between different signature applications. The interaction permits application
interface to the smart card during the usage phase, where the smartcard is used as an SSCD; the system
allows national and/or European smart card interoperability and usage. The EU directive for electronic
signatures accounts for additional E-SIGN documents and standards is the basis for the CWA. CWA 14890
is applicable to file system (ISO/IEC 7816 native cards) and object oriented applications (e.g. Java applets),
which are supported by smart cards. (CEN/ISSS Workshop eAuthentication, 2004)


- 8 -
CWA 14890 incorporates the following requirements:

Requirement 1
! Electronic signatures and certificates will be interoperable
! Different applications & environments will verify unknown to the signer, signatures. Therefore,
signatures and certificates must be standardized to ensure interoperability
Requirement 2
! The physical, logical and application interface will be interoperable, at a minimum, for the same
device type
! The signing device can be used in multiple applications & environments, without the addition of
additional software drivers

Further, CWA 14890 has two parts:

Part 1 Describes mandatory services for the use of Smart Cards as SSCDs. Mandatory services addresses the
signing function, storage of certificates, the related user verification, establishment and use of trusted path
and channel, key generation, as well as the allocation and format of resources required for the execution of
those functions and related cryptographic token information.

Part 2 Specifies the optional services based on the same technology available in signature devices. Optional
services speaks to deciphering and client (card holder) server authentication, signature verification and
related cryptographic token information
2.3.4 ePassport/Visas
Time pressures in the passport space have had a positive impact on interoperability with contact less
interfaced integrated circuit chips. In response, a standardized data model and the ability to strongly verify
the issuer have resulted. A uniform method of protecting portions of the information on the chip, such as
fingerprint images is the missing piece; this is an area that must be further investigated, as it would require
the addition of significant infrastructure on an international basis.

The US is driving the global ePassport effort due to the governments deadline set for the 27 visa-waiver
countries to issue biometrically enabled passports for those visiting the United States. The unilateral U.S.
mandate has ruffled feathers among U.S. allies because 20 of the 27 countries in the Visa Waiver Program
are in Europe. In response, the European Commission is expected by year's end to develop new
specifications for European passports that will, like those issued by the United States, adhere to standards set
by the International Civil Aviation Organization (ICAO). Recently, the U.S. voted to grant visa-waiver
countries which include most of Europe, Japan, Singapore, Australia and New Zealand until Oct. 26,
2005, to deploy biometric enabled passports. However, the Bush administration prefers a November 2006
deadline due to the difficulties compiling the necessary technology. (Eurosmart Whitepaper on Technologies
for Identity, 2003)

In 2004, the ICAO created a basic structure regarding the biometric technology to be incorporated in next-
generation travel documents. The specified framework cites provisions for the inclusion of face images, plus
another mandatory biometric (fingerprints and iris recognition are optional). The issues related to biometric
data integration are just beginning to be addressed by industry and government agencies. Further, because
private industry has not started to optimize biometric and related products, there is uncertainty in regard to
how accurately ICAO specifications will be applied to chips, readers and passports. The private sector has
not developed benchmarks to assess the speed, performance and acceptance ratio of biometric technology.
Furthermore, the decision has not been made regarding the level of security necessary to ensure the
communication between the chip and a reader. ICAO specifications provide a range of options, but
individual countries are responsible the decision regarding ePassport chip-reader communication, as well as
the chips operating system. (Eurosmart Whitepaper on Technologies for Identity, 2003)

The most controversial topic surrounding ePassports and the use of biometric data is the actual handling of
the data. At present, each government is responsible for defining rules and regulations related to biometric
data once it's collected and stored on a chip, as well as whether to allow unlimited access, or to specify
restrictions to the biometric data stored on a passport chip. The EU has be exploring an option that
- 9 -
ensures the biometric data is permanently locked, and cannot be read, unless an passport optical-character
number is read by an optical-machine reader. This extra layer of data protection prevents the biometric
information from being read without the knowledge of the ePassport holder. Furthermore, European
countries are investigating the use of a crypto coprocessor, which would encrypt the chips raw data. In
comparison, the US is considering a lower level of ePassport biometric data security. In contrast, the US is
considering a lower level of security for ePassport biometric data security. (Eurosmart Whitepaper on
Technologies for Identity, 2003)
3. Implementation Best Practices
Creation of a uniform, nationwide, standard for secure identification is necessary to facilitate a uniform
appearance and graphical security features across multiple technologies to include proximity, contact chip,
contact less chip, and magnetic and optical stripes. Further, standardization would assist the utilization of a
common credential that would span multiple technologies, as well as be universally recognized.

Decrease the requirement for redundant credentials and background checks. Through verifying during
the application & enrollment processes that previous checks have not been made, and tying the checks to the
applicants identity can reduce redundancy. Furthermore, ensuring that honoring previously conducted
checks, when conditions and policy warrant, will assist the recognition of a credential as single and uniform.

Design a solution to positively and securely link an individual to his/her credential via a reference
biometric and to the background information on the claimed identity of that individual. Capturing
digital photo, 10 fingerprint images, iris image, and breeder documents at time of enrollment and securely
storing this information tied to the individuals claimed identity, and enable the future one-to-many biometric
searches against this captured information.

Ensure the solution is compatible with existing facility access control and related systems to leverage
current security investments. Providing both back-end and front-end integration to existing legacy access
control systems, as well as capable, programmable readers that will support multiple access control
technologies and biometrics.

Ensure the ability to quickly revoke access privileges to credential holders identified as a threat after
issuance, and immediately remove lost, stolen, or compromised credentials. Automatically and
immediately pushing Hotlist notifications out to relevant parties, and provide additional alert capability for
local administrators to revoke access of Hot-listed cards, whether lost, stolen, or compromised.

Retrieval of pre-enrollment employer sponsorship, biographic, and payment information - Is a
methodology for retrieving pre-enrollment data that encourages applicants to follow recommended
procedures when applying for a credential, and minimizes face-to-face enrollment time. Additionally, pre-
enrollment offers the applicant the ability to print out a bar-coded form containing the scheduled appointment
time, as well as other information. The bar-coded enrollment form guarantees the applicant has preferred
access in support of the scheduled appointment. Additionally, the form automatically generates a request
message referencing the user index synchronized to the database record. Therefore, the pertinent data is
quickly retrieved, thus reducing both time and effort, resulting in reduced face-to-face transaction time.

Support the claimed identity verification process-- The system should support claimed identity during
enrollment through strong authentication breeder documents. The reader-authenticator is an imaging unit that
captures full color, infrared, ultraviolet (UV), and coaxial images from all ISO-7501/ICAO-9303 compliant
documents (such as passports, visas, and national travel cards: ID-1, ID-2, and ID-3) as well as non-ICAO
compliant documents including drivers licenses, IATA standard ATB1, ATB2, and TAT document types.

Whereas traditional document readers allow inspectors to capture only text data from a travel document, the
reader-authenticator captures text, images, Optically Variable Devices (DVDs) and other encoded data from
anywhere on the face of the document. The platform should also include functional capabilities of
classification, reading/extraction, and authentication. Used in conjunction, these constitute the most advanced
identification document authentication system available.

- 10 -
Capture biographic and biometric data for initiation of a background check and registration
processes. The enrollment station should use a certified high-quality 10-finger scanner to capture fingerprints
and a digital camera capable of capturing a facial image that is sufficient for identification, as well as meets
the ICAO specification. Enrollment data includes all information required for searches, and is stored in an
IAFIS-compliant Electronic Fingerprint Transmission Specification (EFTS) record format that conforms to
international standards. The importance of the quality of biometric image capture during this transaction
cannot be understated; these images are often used later for identification and verification, and must be re-
usable. Furthermore, at this stage in the transaction, the success of the credential as a biometric carrier is
dependent upon the ability to accurately store and verify quality.

Image-capture, verification and retention of claimed ID documentsThe enrollment station captures,
verifies, and retains images of drivers license, passport, issued IDs, and other full-sized documents. The
enrollment workstation uses reader-authenticator for passport-sized or smaller documents, and a flatbed
scanner for larger documents. The images captured during enrollment are stored as a permanent part of the
applicant record.

Minimize manual data entry of initial biographic and demographic information Development of
convenient and easy-to-use pre-enrollment stations, either web or kiosk based, will decrease employee data
entry time, as well as prevent errors while processing information. Additionally, live waiting time can be
reduced through the used of incentives to promote pre-enrollment participation. For example, with pre-
enrollment produces a printed, bar coded receipt that facilitates rapid retrieval of data entered during
enrollment, as well as reduces processing and wait time.

Refer to Appendix A for illustration of an effective ePassport/Identity Management system.
4. Characteristics of Successful Identity Management Projects
Minimizing the disruption to passport holders when introducing Integrated Chip (IC) enabled passports is a
primary area of concern. The, May 2003, ICAO decision to adopt contact less chips will simplify the process
to extract data held on the chip for immigration officials by using an RF-enabled reader. Based upon our
experience with biometrics, integrated circuit chip technology, and passport production, several additional
focus areas for consideration include:
! Establishment of a simple and secure nationwide biometric enrollment infrastructure;
! Access to a central biometric data repository for U.S. passport holder data;
! Incorporation of a standards-compliant chip that supports a wide variety of contact less chip
readers;
! International context of U.S. passport usages; and
! Minimization of disruption to existing passport production processes.

Biometric Enrollment Infrastructure
The systematic capture of biometric data will require the organization and creation of a significant
infrastructure. Establishing a robust enrollment infrastructure should be considered at the start of, as well as
throughout, the implementation process. The infrastructure must capture and process at least facial, and one
or more additional biometric features (e.g., fingerprint or iris). Furthermore, it must be consistent with
policies for validating an applicants entitlement to hold a passport and be designed in a manner where there
is minimum impact to the existing passport application process. To facilitate accurate facial and other
biometric recognition matching processes at international entry/exit points, data must be captured and
manipulated, due to the variance in matching rates caused by poor quality images, particularly in the case of
facial recognition.

Biometric Data Repository
Secure, high speed access to a national database of passport holders biometric data is a prerequisite for
validation at entry/exit points and is consistent with ICAO guidelines regarding multifactor recognition at
entry/exit points through referencing a database.

Historically, a one-to-one validation of data on a passports embedded chip is compared to information on the
documents physical data page, in addition to visual identification to verify the identity of the holder.
However, cross-referencing data extracted from a chip and from live image capture against a national
- 11 -
biometric data repository would provide g greater level of authentication. The cross-reference method would
validate that the biometric profile of the person at the border matches the data held on the passport chip, as
well as the data in the national repository for that citizen. However, use of cross-referencing programs must
be weighed against bandwidth/connectivity demands, as well as protection of the data at motion and at rest,
to include the interfaces and accessibility of the national database.

Cross-referencing is similar to models that have been adopted in several limited scope programs for
automated immigration gates, most notably in the Netherlands and Australia. In Australias SmartGate
initiative, for example, air travel industry employees that have enrolled in the program can report to an
unmanned immigration booth in Sydney airport; a facial recognition system validates the live image of the
employee captured in the booth matches that of the employee enrolled in the SmartGate database. The
Sydney airport program is similar to a frequent flyer program in operation in the Netherlandss Schipol
airport, although in this case the iris is the biometric feature used. However, in both cases, the only check
against the passport document is to verify that details in the passports Machine Readable Zone (MRZ) match
those contained in the database; there is no check against biometric data held on the passport.

Standards-based Chip Solution
The wide variety of available MRZ and full-page passport readers ensures that a range of contact less chip
readers will be deployed by national immigration agencies around the world. Therefore, the chip selected
should be readable, in a per formant manner, by readers of all quality levels, and consistent with the
international standards defined by ICAO. Furthermore, an added benefit of a standardized solution is that
infrastructure developed to read from national passports would also be capable of reading any national
passport. An example of this technology is BCIS (formerly INS) that is currently piloting a system to read
Malaysian biographic passport data.

International Context
Because many countries may not have the necessary infrastructure in place to process chip-resident data of
international passports, chip insertion must not have an effect on the traditional measures of reading and
verifying the authenticity of passport, as well as the holders identity. Supporting the traditional verification
processes requires support of MRZ and full-page readers.

Minimize Disruption to Passport Production
The primary area of consideration is the impact on the personalization process to ensure that chip encoding
forms a seamless element in the personalization process. Secondly, the impact on the passport booklet
manufacturing process must be minimized as well as ensure that, during insertion, the chip is protected from
temperature variations, pressure, flexing, bending and other potential damage. Both of these concerns are
strongly linked and should be addressed in conjunction.

The first option, to avoid potential damage during the manufacturing process, is consistent with the
requirements for chip insertion into the inside back cover of the booklet, by embedding the chip in a
protective plastic material (i.e., polycarbonate or polymeric) that is then inserted into the back cover. The
protective material would, ideally, be the same size as the booklets page, protect the chip from heat,
compression and other factors, as well as be designed in a manner that any attempt to split the material would
result in significant damage to the chip.

A second option considers replacing current paper data pages with polymeric material that would host the
chip. This process requires no change to the back cover, and printers would personalize the polymeric data
page with the holder data, with zero to little modification required. The greatest benefit of this option is that
the chip is stored in the same location as the standard holder data. Initial tests of this scenario have been
positive.

Both proposed options are compatible with either an inline or external approach, whether the chip is inserted
into a polymeric material in the back page, or the into the same substance that forms the data page, countries
can either adopt a chip encoding module that directly integrates with the existing printers, or implement an
encoding process external to the equipment. An additional area of consideration is close accounting and
inventory management of the chips and their data pages or embedded covers; this component often needs to
be added to existing inventory management systems to associate chip serial numbers with passport booklet
numbers.
- 12 -
5. Summation
There are a number of existing global eID initiatives, with Europe and the US at the forefront with respect to
new eID deployments. Governments are leveraging the use of IT and the Internet to deploy, on a large scale,
eID programs to enterprises, as well as citizens. Electronic services are being utilized to facilitate the use of
eID. Following is a list of services employing the use of eID to reduce administrative costs, as well as
effectively verify an individuals identity (Eurosmart Whitepaper on Technologies for Identity, 2003):

! In the US for filing Federal, State & Local Income taxes, in Europe to declare & notify Income
and other taxes
! In Europe - labor office job searches
! Social Security & other Public Services - unemployment benefits, child allowances & student
grants
! Paper Identification Applications - drivers licence, passport, & immigration visa
! Motor vehicle registration
! Building & Renovation Permits
! Police statements with respect to theft or accident
! Request & Delivery certificates birth & marriage
! Address Change & Update of Personal Information
! Electronic voting

Electronic services offer an effective medium to indoctrinate citizens to the use of eID, by offering a quick,
convenient, method of obtaining services. Electronic based government services for citizens (e-Government)
offer a beneficial tool for citizens. For government, such on-line services offer multiple advantages:

! Reduction in administrative & overhead costs
! Single point of contact for individual government entities
! Reduction in the incidence of fraud due to encryption technologies
! Quick and reliable services
! Improved citizen satisfaction and government perception
! Greater control and privacy of personal information

Continued advancements in identity management technologies and standards will streamline the processes
necessary to deploy efficient, and interoperable, identity verification and authentication initiatives.
Standardization of technologies, causing the streamlining of planning processes, will aid the creation of a
strong, unified credential capable of vetting large populations, providing strong identity assertion, as well as
issuing authority verification.