Best practices for use of RF technology in ID management

Jan 30, 2007 10:46 AM

Using radio frequency (RF) technology for identity management has become a balancing act between security and privacy. The Smart Card Alliance Identity Council has released guidance regarding best practices for organizations implementing the technology in identity management systems.

In "Best Practices for the Use of RF-Enabled Technology in Identity Management," the Alliance provides recommended guidelines for issuers of ID credentials using RF technology to ensure the confidentiality, integrity and validity of identity information and to protect the credential holder's privacy. The publication and accompanying frequently asked questions document also address common misunderstandings about the use of RF technology to transmit identity information, which have led to questions about the security and privacy of RF-enabled ID credentials.

"There is a public misperception that all RF-enabled technology is synonymous with RFID," says Randy Vanderhoof, executive director of the Alliance. "These new documents achieve a twofold purpose: They provide rules for good behavior when using RF-enabled technology in identity management, and they clearly delineate the differences between RFID and contactless smart cards that use RF and provide security and privacy protection in identity applications."

Radio frequency identification (RFID) is commonly used in product tags for tracking and supply chain management. Contactless smart cards are RF-enabled devices with onboard computers designed to protect identity information and its communication. Widespread corporate and government use, including the worldwide e-passport program, has validated contactless smart card technology as a secure, reliable way to transmit ID information.

Key elements of the Alliance's best practices for using RF technology in ID management call on credential issuers to:

* Implement security techniques, such as mutual authentication, cryptography and verification of message integrity, to protect identity information throughout the application.

* Ensure protection of all user and credential information stored in central identity system databases, allowing access to specific information only according to designated access rights.

* Notify the user as to the nature and purpose of the personally identifiable information (PII) collected -- its usage and length of retention.

* Notify the user about what information is used; how and when it is accessed and by whom; and provide a redress mechanism to correct information and to resolve disputes.

Vanderhoof emphasizes that RF-enabled smart cards are able to meet all the guidelines in the Alliance's best practices document. The use of RFID tags in identity credentials, however -- due to their long read range of up to 25 feet and lack of appropriate security features -- could leave users open to the types of fraud and identity theft most feared by privacy advocates and government officials, he says.