Smart Cards and Biometrics
I used to think smart cards were pretty cool. A computer, memory, the whole works all in a little tiny package attached to a card. But over the past few years I have become less enamored with them. They are still ridiculously expensive — $10+ / card for something like a 64K card, and they don’t seem to have come down in price even though the corresponding technology has become really cheap. For example, I can buy a 2 Gig memory stick about the same size as a the “chip” part of a smart card for about $5. Granted, that doesn’t have a processor, but those are less than $1 for the kinds of processors in smart cards.
The DoD has been one of the biggest users of smart cards. The DoD Common Access Card (CAC) is one of the biggest smart card programs in the world. And what exotic information is stored on the card? A picture, an ID number, a name, and few other small things that are already on the front of the card. Yawn. They are starting to store a single finger biometric on the card, but that is going to take a long time to implement. In my role as a DoD contractor, I almost always had a CAC card. I used it extensively in Iraq and Afghanistan. And of course, in a dangerous environment like that, the DoD exploited all the security present in the smart card, right? Nope. The CAC card was used exclusively as a “flash pass,” meaning it was simply displayed to a guard to look at visually. It was never checked electronically. And that is pretty common across the DoD. It is getting to be pretty commonly used to login to computers for the DoD, but that has taken many years. The CAC card costs around $80 each, when all the costs are taken into account. How is that a good use of taxpayer money?
My personal belief is that smart cards are mainly a status thing. They are effectively impossible to counterfeit, which is great. However, if they are not read electronically, then that feature is useless. But smart cards have status. Just being able to wave one around makes you an important person with a serious credential. I have talked to foreign government officials who have not been able to articulate why they want a smart card, they just know that they want one. This is the argument I use with my wife when I tell her I need a new laptop when my old one is only a year old. It is form over function, and it makes no sense.
The Israelis recently instituted a smart-card biometric program at their airport. They are following the standard procedure of storing biometrics (face, finger) on the card:
… passengers can then proceed to the first security stand, where they will be asked to swipe their cards and passports through the machine. As the computer confirms a biometric match…
(by the way, you don’t swipe smart card, you insert them into a reader) What I always think when I see this is “If you have the biometrics, why do you need the card?” The biometrics don’t have to be stored on the card, especially in a place like an airport where you can have all the computers, network, and storage you need. The card allows you to do a 1:1 comparison. Without the card, you would do a 1:N comparison. If you did a lookup of four fingers plus a face, the chance of a false positive would be infinitesimal, and it would plenty fast enough. Your biometrics are your credential, and when you have that credential you don’t need a card. The system would be just as secure, and it would save millions of dollars in smart cards that would not have to be issued, re-issued, printed, lost, etc.