The Smart Card Alliance Identity Council has released guidance regarding best practices for organizations implementing radio frequency (RF) technology in identity management systems.
In "Best Practices for the Use of RF-Enabled Technology in Identity Management," the Alliance provides recommended guidelines for issuers of ID credentials using RF technology to ensure the confidentiality, integrity and validity of identity information and protect the credential holder's privacy. The publication and accompanying FAQ document also address common misunderstandings about the use of RF technology to transmit identity information, which have led to questions about the security and privacy of RF-enabled ID credentials.
"There is a public misperception that all RF-enabled technology is synonymous with RFID," said Randy Vanderhoof, executive director of the Alliance. "These new documents achieve a twofold purpose - providing rules for good behavior when using RF-enabled technology in identity management and clearly delineating the differences between RFID and contactless smart cards that use RF and provide security and privacy protection in identity applications."
Radio frequency identification (RFID) is commonly used in product tags for tracking and supply chain management. Contactless smart cards are RF-enabled devices with onboard computers designed to protect identity information and its communication. Widespread corporate and government use, including the worldwide e-passport program, has validated contactless smart card technology as a secure, reliable way to transmit ID information.
Key elements of the Alliance's best practices for using RF technology in ID management call on credential issuers to:
- Implement security techniques, such as mutual authentication, cryptography and verification of message integrity, to protect identity information throughout the application.
- Ensure protection of all user and credential information stored in central identity system databases, allowing access to specific information only according to designated access rights.
- Notify the user as to the nature and purpose of the personally identifiable information (PII) collected - its usage and length of retention.
- Notify the user about what information is used; how and when it is accessed and by whom; and provide a redress mechanism to correct information and to resolve disputes.
Vanderhoof emphasized that RF-enabled smart cards are able to meet all the guidelines in the Alliance's best practices document. The use of RFID tags in identity credentials, however - due to their long read range of up to 25 feet and lack of appropriate security features - could leave users open to the types of fraud and identity theft most feared by privacy advocates and government officials, he said.
"Adherence to these best practices not only helps ensure the validity, security and integrity of vital identity information, but at the same time addresses the concerns of citizens and government officials about privacy and the growing threat of identity theft," Vanderhoof said.