   |
 FAQsCommon questions about plusID personal biometric tokens: COMPATIBILITY How can I deploy plusID personal biometric tokens without changing my existing security systems? Each plusID has up to six different industry standard interfaces (low and high frequency RFID, USB, smart card compatibility, Bluetooth or IEEE 802.15.4, and one-time password functionality), enabling it to work out-of-the-box with the majority of existing physical and logical security infrastructures, with no installation, middleware, or coding required. For example, plusID devices work on the exact same door readers as prox and iCLASS cards for physical access, and with the Microsoft Operating System found on most PC’s for logon. How does plusID simplify the convergence of physical and logical / IT security? Each multi-function plusID device supports both physical and logical access, thereby replacing multiple prox cards, iCLASS cards, smart cards and passwords. The plusID can hold up to eight different card formats for physical access and still support logical access. plusID’s multiple communication interfaces and compatibility with industry standards equip it to work, out-of-the-box, with both existing door readers for physical access, and existing Microsoft domains* for computer logon. * requires Microsoft smart card support on server and client machines How does plusID interface with door readers and computers? For physical access applications, plusID’s low and high frequency RFID interfaces are used to send access credentials to readers in the exact same manner as traditional proximity or iCLASS cards. For logical access applications such as computer logon, plusID’s USB, Bluetooth™, and IEEE 802.15.4 interfaces expose the plusID's smart card and one-time password capabilities. During device issuance the Enrollment Administrator programs the four multi-function buttons on the face of the plusID device to correspond with specific applications. Each button can hold both a proximity and iCLASS (smart) card, and still be available for logical access. What if our entire population of users doesn’t have a need for the heightened security of biometrics? plusID devices do not have to be issued to everyone. Because they work with existing physical and IT security infrastructures, plusID devices can be issued selectively to a subset of your total population. So users with access to facilities or data with lower security thresholds can retain their access cards, while mission critical employees can benefit from the heightened security of biometric identity verification using plusID.
PERSONAL PRIVACY Does plusID require biometric databases or backend servers? No. The plusID device has its own built-in fingerprint sensor, so all of the biometric processing, from enrollment to matching, is performed directly on the user’s own personal device. Each time the user verifies the device performs a 1:1 match, comparing the user’s live fingerprint to the template securely stored on the device. So there is no need for an external database of fingerprints to match against, nor is there any need to move fingerprint images over a server. Do I have to relinquish my sensitive biometric data to my employer to use plusID? No. With plusID, your fingerprint templates are securely stored and matched on your own personal, trusted device. They are never collected or stored in backend systems and never released. A successful fingerprint match on your plusID triggers the release of standard access credentials, such as a code to enter a door or a password to logon to a computer.
SECURITY Can plusID devices be sniffed or cloned when not in use, like a prox card? No. Unlike a prox card, which is always “active,” the plusID device is only active for several seconds after a verification (i.e., fingerprint swipe). It then automatically powers itself off, making the device inert, and incapable of being sniffed or cloned. What makes the plusID a trusted device? plusID is a trusted device because it secures itself, and its data, using standard cryptographic exchanges and data encryption. Further, the device has a secure processor (ASIC) that performs cryptographic operations, and is designed to meet the highest level of US Government standards for the protection of cryptographic devices (FIPS 140-2 Level 3). Is an image of my fingerprint stored on my plusID device? No. Only numeric representations of unique features of your fingerprint (for example, specific ridges, valleys or swirls) are encoded and stored on the device in the form of a template. These numeric representations are used in the matching process that confirms you as the authorized user of the device. Is my fingerprint transmitted from my plusID device? No. A successful fingerprint match on your plusID triggers the release of standard access credentials, such as a code to enter a door or password to logon to a computer. Your fingerprint is never transmitted, nor is it ever collected or stored in any software application or database. What happens if my plusID device is lost or stolen? Unlike most lost or stolen credentials, a plusID device is useless in anyone else’s hands, other than its authorized user. Just like with any other issued credential, the issuing organization determines the procedures a user should follow for reporting and replacing a lost or stolen plusID. Can my fingerprints be accessed from the plusID device if it were lost or stolen? No. First, only the enrolled user can only activate the device. Second, the device does not permanently store your actual fingerprints. Numeric representations of specific unique features of your fingerprint (templates) are encrypted and stored on the device. These templates are used in the matching process that confirms you as the authorized user of the device. These numeric representations are stored in the device’s secure memory and are not accessible by external sources. Can fingerprints be faked and the security of the plusID device compromised? The fingerprint sensor on your device uses sensing technology that rejects a fake finger or other attempts to fool the device. The sensor actually looks beyond the surface of your finger, three-dimensionally to the inner layers of your skin where your fingerprint features are formed. These techniques rely on the specific chemistry of your skin, which is not present in a fake finger or “gummy” attack. Can a third party steal my access credentials while they are being wirelessly transmitted to or from the plusID device? Typically, all information sent to or from your plusID device is encrypted, which prevents a third party from interpreting the information during transmission. For some physical access applications using older, low frequency RFID technologies, encryption of the credential transmission is not an option, but in these cases, the close proximity required for access (1-2 inches from the reader) makes the possibility of a transmission being intercepted without notice highly unlikely.
PHYSICAL ACCESS Do I have to install biometric readers at doors and entrance ways to use plusID? No. With plusID there is no need to install fixed, mounted fingerprint readers at doorways. Each plusID personal security token has its own built-in fingerprint reader and interfaces with the conventional access control card readers already in place at most doorways. In addition to eliminating the need to install new hardware, plusID eliminates the single point of failure caused by traditional door mounted biometric readers, and the resulting long lines and traffic delays. What types of existing physical access systems does plusID work with? plusID works in place of prox and smart cards and supports the card formats offered by HID (including Corporate 1000), Indala and CASI, and works with both Prox (125 kHz) and iCLASS (13.56 MHz). How are access control credentials loaded onto a plusID? Access control card credentials (card numbers) are loaded onto the plusID using an “idBank” from HID. idBank is a smart card containing card formats that are securely transferred to plusID devices using the plusID Manager software application. In order to use plusID in place of access cards or fobs for accessing doors and facilities, a card format must be loaded onto the plusID device via an HID idBank. Card formats from an idBank can be securely added or changed on the device. idBanks can be ordered with HID®, CASI, or Indala® prox and HID iCLASS card formats, including Corporate 1000, in quantities of 25, 50, 100, 200 or 300. If I carry multiple access cards for multiple buildings or facilities, can I still use plusID? Yes, a single plusID can hold up to eight different card numbers and formats (i.e., credentials). Each plusID includes four buttons which are used to select the access control credential that will be transmitted upon a successful fingerprint match. Different credentials can be assigned to a single button on a plusID, as long as each credential uses a separate communication frequency. For example: Prox & iCLASS = yes; Prox & Long Range = yes; Prox and Prox = no Can the device be issued in place of prox cards, iCLASS cards, or smart cards for higher levels of security? Yes. plusID devices work on the same door readers as both prox and iCLASS cards, with no additional hardware or middleware required, enabling them to be issued in place of access cards when there is a need for positive identity verification. Additionally, the plusID device is smart card compatible, meaning that it can be used for computer logon, with no additional software or hardware required. Can plusID devices be sniffed or cloned when not in use, like a prox card? No. Unlike a prox card, which is always “active,” the plusID device is only active for several seconds after a verification (i.e., fingerprint swipe). It then automatically powers itself off, making the device inert, and incapable of being sniffed or cloned.
LOGICAL / IT ACCESS Is any additional software or middleware required in order to use my plusID for logon in place of passwords and smartcards? No. Only a simple Microsoft USB device driver is required. plusID devices are natively supported by Microsoft for logon (Windows 2000 or later), via two or three-factor authentication. The plusID device is ISO 7816 Part 3 smart card compliant, and as such enumerates itself to a computer exactly like a standard smart card for logon, allowing for rapid enterprise integration. How does using plusID for secure biometric logon compare to using the fingerprint sensor that is embedded in many new laptop computers? What are the advantages? There are four key advantages to using the Privaris plusID: 1. Embedded fingerprint sensors on laptops store and process the fingerprint image on the same device that it is meant to protect, thereby creating a very real security hole. Additionally, laptops store an unencrypted image of the fingerprint while processing it to create a template. The plusID eliminates these security holes and significantly reduces the chances that a user’s fingerprint could be compromised. 2. Since the user’s biometric data is encapsulated by the plusID device and is not visible to the operating system, no biometric middleware is needed to add biometrics to the logon process - the standard smart card support included in the operating system is all that is required. 3. Allowing an individual to hold a fingerprint sensor in his/her hand (i.e. plusID) has proven to give the user more consistent and repeatable success in swiping their finger and generating a match. 4. The plusID device is portable, so that you only need to enroll in it once and it can then be used to log on to any machine registered in the Microsoft domain without having to enroll in each machine separately. How does plusID connect to my PC for logon? plusID devices connect to PC’s via a standard mini-USB cable that is packaged and supplied with each plusID device. The plusID 75 model can connect to PC’s via Bluetooth™ for wireless logon, in addition to connecting via USB. Which plusID models can be used for computer logon? All plusID device models (the 60, 75 and 90) can be used for logon via USB. Though, only the plusID 75 model also supports wireless logon via Bluetooth™. The plusID 75 model employs Bluetooth for logon, but aren’t Bluetooth transmissions insecure? The plusID 75 does not rely on the security layer inherent in standard Bluetooth transmissions. To secure the transmission, the plusID device automatically includes additional encryption to create a secure data tunnel for the credential transmission and delivery. How do I use my plusID device for logon? 1. Power on the device by either connecting it via USB, or by pushing the button on the plusID that’s assigned to Bluetooth logon. 2. Verify your identity by swiping an enrolled finger down the device’s fingerprint sensor. (If your plusID is configured for three-factor authentication, PIN entry will be prompted.) 3. Logon is complete and your desktop is displayed. Is a PIN (personal identification number) still required with my plusID device for logon, as it is with a smart card? Whether or not a PIN is required is determined by the Enrollment Administrator at the time of device issuance. plusID devices can be configured for either two or three factor authentication. Two factor = biometric only (i.e., something you are: your biometric, and something you have: your plusID). Three factor = PIN + biometric (i.e., something you are: your biometric, something you have: your plusID, and something you know: your PIN). So if your device is configured for three factor authentication, then yes, a PIN will be required. Can plusID be used for logon with non-Windows operating systems (i.e., Linux, Sun Solaris) and applications such as PeopleSoft and Oracle ERP, or an in-house developed Web application? Yes, plusID can be used in non-Windows environments for logon. Though a plug-in may have to be developed (using the Privaris plusID command set) to enable plusID to communicate with the operating system. If the operating system or application uses a standard API for interacting with tokens, such as PKCS #11, Privaris may consider supporting that API to make the integration easier. Privaris is continually developing support for additional environments. Please contact Privaris for the latest information on platforms supported. Note: Privaris’ plusID Manager software, used for enrolling and configuring plusID devices, does not work on platforms other than Windows, so device administration would still have to take place on a PC with a Windows operating system. Can plusID be used to “unlock” Windows screensaver after periods of inactivity (e.g. no keyboard or mouse movement) in the same manner that an Active Directory Windows password is typically used? Yes. The plusID device interacts with the Windows operating system in the exact same manner as a smart card, which is natively supported by Windows and integrated into the screensaver unlock process, just as it is integrated into the standard login process. The user unlocks the screen saver using their plusID just as they would use it to logon. Can the same device that I use for computer logon be used to open doors? Yes. Each plusID device is multi-function and designed to support computer logon (i.e., logical access) as well as physical access for entry to multiple doors and facilities. Whether plusID devices are used for multiple functions is at the discretion of each issuing organization. Only an authorized Enrollment Administrator can configure a plusID device for physical and/or logical access. If using my plusID 75 for wireless logon, why does my PC have to have a USB port? A USB port is required on each computer that will be used for wireless/Bluetooth™ logon in order to initially “pair” the plusID device with your PC. Pairing is a security function that is only performed once. It associates the plusID with the PC and enables all future communication between the plusID and PC to be conducted wirelessly. How do I know if my computer has the Microsoft Bluetooth stack and compatible radio required for wireless logon with a plusID 75?
ENVIRONMENTAL How durable is the fingerprint swipe sensor on the plusID device? Why isn’t there a cover? The plusID device employs the Authentec 2510 fingerprint swipe sensor. Authentec, the sensor manufacturer, has done extensive testing and found the sensor to be durable and resistant to damage from normal day-to-day use and carrying in pants pockets or purses, etc. Therefore, a cover is not necessary. Is the device suitable for use in outdoor settings? Yes. The plusID device has been tested and operates at temperatures ranging from a low of -4 degrees Fahrenheit, to a high of 140 degrees Fahrenheit (0-60 degrees C). It can withstand reasonable amounts of precipitation, but like any electronic device, should not be submerged in water.
OPERATIONAL What are the buttons on the front of the device used for? The four buttons on the face of each plusID are programmed by the Enrollment Administrator when the device is issued to correspond to various access points. So for example, the top left button may be used to access a vehicle gate, the bottom left to enter Building #1, the top right to enter Building #2, and the bottom right button used to logon to your computer. Pressing any button will turn on the plusID device. Pressing any button with an assigned access credential will power on the device and prompt a verification request (a blinking green light). How long does a fully charged plusID battery last before the battery needs recharged? What if it runs out? A fully charged battery will provide approximately 1,000 uses/verifications, lasting a typical user several months before a recharge is necessary. When the battery gets low, the device will flash a red light to signal the user. The internal battery is rechargeable via the device’s USB port and can be charged from a wall power adapter, or car charger, just like a cell phone. In addition plusID can be charged via the USB port on most computers. If the battery were to completely run out, it can be fully recharged within 2 hours. Each device comes with an industry standard foot long USB cable for charging. How are users enrolled in plusID devices? Privaris’ plusID Manager is the device issuance software that enables device enrollment and configuration. An Enrollment Administrator performs device issuance. To enroll in a plusID device, a user simply swipes their finger over their device’s fingerprint sensor three times. The user’s fingerprint is then stored in encrypted memory as a mathematic algorithm, or template (not an image). Can plusID devices be enrolled and configured wirelessly over Bluetooth™ using the plusID Manager software? No. All models of the plusID device can only be administered over a USB connection, using the plusID Manager software, even if the devices (plusID 75) will ultimately be used for wireless logon over Bluetooth. How does the device provide feedback to the user? plusID devices have a green, yellow, blue and red LED that illuminate to indicate authentication requests, to give success and failure feedback, to alert the user to low battery conditions, and to indicate Bluetooth™ or USB connectivity. Additionally, the plusID75 & plusID90 models include a sounder for audible feedback of successful and unsuccessful verifications, as well as an LCD on the back of the device for one-time password (OTP) display, device personalization and low battery indication. What if my thumb/finger is injured? In almost all cases, you will be instructed to enroll two fingers so that either finger is usable as a back-up in case of injury. Can plusID devices be erased and reissued? Yes. Though only the authorized Administrator can erase and reissue a device using the plusID Manager software. How many people can use one device? The plusID is a personal identity verification device designed for use by a single individual. Though if authorized by the Administrator, more than one person’s fingerprint(s) could be enrolled in a device. Each device can hold up to four fingerprints. (More could be added, but it can adversely affect verification times). Though note, that for security audit purposes, if more than one person is enrolled in a plusID device, it is impossible to discern which of the device’s authorized users accessed a specific facility or computer. How do I determine what model of plusID a specific device is (60, 75 or 90)? The model number (60, 75, or 90) is indicated on the exterior of the box in which each plusID is packaged and shipped. Also, with a device connected to the plusID Manager software, selecting the “Devices” branch of the main menu tree will display the model number of the respective device. What is the difference between an Administrator and a user? An Administrator is the person(s) in an organization responsible for issuing plusID devices. As such, the Administrator has the authority and ability to perform functions enabled by the plusID Manager software, such as enrolling, erasing and configuring plusID devices. Users are issued a plusID device as their personal credential for facility and computer access. Typically, users do not interact with the plusID manager software. Why isn’t there a USB plug on the device so it can be plugged into a PC without a cable? Embedding a USB connector to directly plug in to a PC would have increased the size and weight of the device. Most important, however, it would not be ergonomically effective for the user. Swiping a finger across a device plugged into a USB port would be physically difficult especially if the USB port was on the back of the PC, or the PC was located on the floor or under a desk. Won’t all of the plusID functionality just be done in a cell phone some day? Cell phones will continue to be a pervasive part of our lives and aggregate features and capabilities. One of the most likely additions will be the use of cell phones/PDA’s for contactless payment in retail environments for low value transactions. A number of pilot projects have demonstrated the viability of this approach. Use of a personal cell phone as a security credential in a wide range of applications presents a number of very different challenges, however. One important issue is that by nature of their primary use as a communications device, and their often frequent connection with a computer for email, contact and schedule synchronization, cell phones are at increasing risk to be hacked or attacked with malware. Industry experts predict that as the “usage value” of the phone increases these risks will become more acute. This limits their use as a true security credential. Another challenge lies with the huge variety of phones available and their rapid obsolescence and non-uniform feature set. This is a key concern in a corporate setting where it is unlikely that a physical security organization, or IT security organization, will be comfortable with, or even able to manage the secure deployment of credentials onto a diverse population of phones. It will simply be impossible to insure that the devices are secure containers with valuable security credentials. SYSTEM REQUIREMENTS What are the minimum system requirements for: The plusID Manager software for enrolling and configuring plusID devices? One personal computer with:
Using plusID for physical access? HID (includes Corporate 1000), Indala or CASI door readers using either card format:
Using plusID for logical / IT access (native support)? Server side
Client side: for logon over USB
Client side: for wireless logon over Bluetooth (plusID 75 model only)
Using plusID for logical / IT access with “plusID Compatible” third party single sign-on software? See software provider for system requirements ______________________________________________________________________ *To determine Bluetooth stack and radio compatibility: 1. With Bluetooth radio connected/enabled, right click My Computer>Manage>Device Manager 2. Click on “Bluetooth Radios” within Device Manager. If the “Microsoft Bluetooth Enumerator” file is listed, then you have the Microsoft Bluetooth Stack and a compatible Bluetooth radio. 3. If you do not have it, contact Privaris Customer Service prior to proceeding for help with:
For answers to additional questions, please contact us. 
|
||
|
|
|||
 |
|||
Copyright 2000 - 2007 Privaris Inc. All rights reserved.