VOL. II ARTICLE NO. 127

Credentialing Integrity

The Fine Art of Ensuring That Your Credentialing Strategy Isn't Compromised Through Counterfeiting, Theft, Alteration or Unauthorized Issuance.

During the opening ceremony of the 2010 Winter Olympics Games, a mentally ill man with a homemade security pass – and a fixation – was able to get within a few feet of U.S. Vice President Joe Biden.

Two female plainclothes Canadian Mounties protecting Biden decided that they felt the man "just didn't fit in."

So they intercepted him. Within moments, they determined that his credentials were invalid – either faked or forged – and began escorting him back up the aisle. At which point he began to run.

There are two key lessons here. First, leveraging state-of-the-art technology for credentials such as badges or passes is enormously important. This is true if your job is ensuring the security of a nation's leader. Or safeguarding a leading pharmaceutical research lab. Or managing the security supporting an international, month-long, 10-stadium sports event with 3 million attendees.

But take note of the second lesson here: that proper credentialing – no matter how sophisticated its underlying technology might be – is only as effective as the many other crucial aspects of a highly integrated, layered approach to security.

Like what? Multiple perimeters of security. Critical process redundancies. And specialized training for security personnel, including knowledge of behavioral threat assessment techniques, to name just a few. Each of these played a role in Vancouver and, taken together, successfully prevented a possible attack on the U.S. Vice President.

The Four Most Common Ways That Credentials Are Compromised

• Theft of genuine credentials or raw materials used in the production process. Outright theft of credentials is always a risk. So is the theft of inputs such as seals, specialized stock papers and blank identification cards. Documents may be stolen before delivery to the holder (e.g., in the mail) or afterwards (e.g., from an office).
• Unauthorized release of authentic documents. It's called collusion. An "insider" illegally issues a valid ticket or credential to an unauthorized person. Or illegally produces a genuine document, bypassing established controls and procedures, and sells it to unauthorized parties.
• Post-production alteration. This refers to changing or replacing information on a credential, such as switching a photo, removing legitimate information or adding false identifiers.
• Counterfeiting. Someone develops an exact replica of an original document or a similar reproduction. Sometimes fictitious counterfeits are created that bear no resemblance to the original.

How should credentials be selected,designed and managed?

The answers depend on the security program goals – and the need to align strategy, budget and other resources most cost effectively with the security outcomes that must be achieved, including:

• Protect document integrity – It is important to make alteration difficult, inhibit transferability from one user to another and preserve evidence of tampering.
• Tie the credential tightly to the individual authorized to carry it – The credential should capture information uniquely identifying the person to whom it was issued and sufficiently indicating authorized level of access.
• Enable proper screening and fraud discovery – Security personnel should be able to quickly – either manually or automatically – interpret any codes used on the credential without difficulty.
• Facilitate intervention and reporting – In some cases, design elements can facilitate real-time alerts, information sharing and location tracking as well as post-breach auditing and process improvement.
• Comply with regulations and guidelines – In the U.S., for example, FIPS 201 (Federal Information Processing Standards Publication 201) is a government standard that specifies Personal Identity Verification (PIV) requirements for federal employees and contractors.

One-time and multi-use credentials should have a combination of the following security features embedded in their construction – from substrate to document printing.

• Overt Security Components – These involve easily identifiable visual or tactile features that permit inspection and examination without tools or aids.
• Covert Security Components – These devices support inspection and examination without attracting much attention or inconveniencing authorized bearers.
• Forensic Security Components – These help prove credential genuineness, sometimes through destruction. Typically this involves expert analysis and laboratory processes that evaluate a sophisticated set of security features known only to a few – a strategy engaged often by justice and law enforcement personnel for court use.

Credentialing Technologies: A Rapidly Evolving Spectrum of Choices

• Basic: Magnetic stripes; barcodes; security threads; ultra violet features; holograms; micro printing; watermarks; digital photos
• Advanced: Heat sensitive paper; color-shifting ink visible only under proprietary equipment; magnetic ink; handheld credential-screening devices; proximity software
• Emerging: Smart chips; cryptographic credentials such as x.509 certificates; biometric data such as fingerprints, facial recognition, retinal scans, voice and hand geometry

For More Information

To find out more about credentialing integrity, contact:

• Arnette Heintze, Partner and Chief Executive Officer, at (312) 869-8500 or via email
• G. Michael Verden, Senior VP and Managing Director, at (312) 869-8500 or via email