Although these so-called smart cards--and their less technology-laden brethren, chip cards--have been relatively well-received overseas, the reception in the United States remains frosty. But efforts under way in the United States to better protect its borders and increase company security may finally give the smart card its day. Steven Humphreys, CEO of identity-management software maker ActivCard, already has deals to launch as many as 50 million cards over the next 10 years, with about 80 percent going to government agencies such as the U.S. Department of Defense (DOD), the U.S. Department of the Treasury and the Secret Service.
CNET News.com spoke with Humphreys to learn why he believes smart cards are finally getting a serious look in the United States after so many false starts.
Q: Have smart cards found their "killer app"?
A: I hate to call it a killer app, but it is definitely something that we do have right now. You have cards to get into your building; you have passwords; you have tokens. Now some people have biometrics. It's all about managing identities.
What are the advantages of smart cards for security?
It gets me in the building. On one card I have all of my passwords. With a card in a laptop with valid serial numbers, whenever I go to one of my sites whose password I've saved, it pulls the user ID and password off, and I don't even need to deal with it.
So password consolidation is there. The security is there. The physical access as well as the logical access and local encryption and security are there. And when I go remotely, the one-time use passwords are there. People are already doing all these things.
We have seen the biggest and fastest traction with the Department of Defense.
The cost is much lower. In the average corporate environment, when you forget your password and call in, it costs about $35 a help-desk call--and that's to get a password reset, to change the password, to make sure it takes throughout the system, and to make sure the user has the password and is up and running again. On average, people do it six to seven times a year--about $200 per person per year is being spent on this problem.
What's driving smart card adoption?
Companies are finding that they are already managing identity--but in a fragmented way. When they integrate it, then they actually get cost reductions. That is why this is taking off in the enterprise space.
To what extent are the laptop and PC makers on board with putting smart card readers in their machines?
The big thing was to get the external readers to drop in price. A smart card reader used to cost about $100 per user; it now costs $10. And the cost of goods is under $5. That's made a big difference.
Is there a consumer side to this? There are a lot of consumers that have 30 or 40 passwords out there and might like that functionality.
I think there ultimately will be. The big businesses are already managing a bunch of badges and locations and everything else. I think that, in five years, users will be able to buy it off the shelf: You get a client, put in all your passwords and you are off and running. But right now, it's more of an organizational implementation.
Have you seen a push in the smart card/chip card market because of homeland security?
We have seen the biggest and fastest traction with the Department of Defense. They are issuing these at about 11,000 a day right now.
Are any other branches of the government using them?
We are also selling into the Department of the Treasury and its Internal Revenue Service, the Department of the Interior, the Secret Service, the Department of Energy, the Department of Justice and a couple of others that aren't yet public. They are all beginning to deploy identities and identity management.
To function in society, you need to disclose some information.
That's a good question. The DOD project started well before 9/11. We started deploying in August of 2001. They have gotten up to a rate of 11,000 a day. In the absence of 9/11, I don't think it would have happened that fast. I think it would have gotten up to 5,000 or 6,000 a day and then stabilized. On the corporate side, I don't think we are making that many sales driven by security: If they save money, they'll buy it. And if they don't save money, they won't buy it.
What programs are on the horizon?
The transportation workers' identity card is one of the biggest ones--and that's the idea that all of our ports and truckers and everyone else should be identified if they are moving stuff around. You can't stop them from moving something that's bad. But if you know exactly who is moving what, people are far less likely to move something that is bad knowingly.
Another initiative came when the Department of Homeland Security put out a directive to secure infrastructure at the state level. The idea is that all the public utilities--water, telecommunications and power--should be secured. Right now, they aren't. There is this whole tug of war going on with the states saying that they don't have any money to do this, and the federal government saying it's a state issue.
Do you think that all utility workers will have an identity card?
Yes, some sort of state-issued identity card.
It sounds like an identity trail is being built up for anyone who has access to some part of the critical infrastructure.
How do you make sure that data is handled correctly? Do you need a law or regulation that specifies when certain groups or agencies or people can see a person's private data?
Some of that is in the Bush administration's " " proposal. But I think the real answer is that it needs to happen one implementation at a time. No one questions that military personnel should have secure identity cards and that the military should probably know most of what personnel are up to--especially if they are checking out weapons or something like that. On the other extreme, take driver's licenses: We don't want everyone to know exactly where we are going at every given moment when we are driving our car.
But when it comes to a power plant worker or a water utility worker, we sure want to know when they come in and what they did while they were in there. I think it is one case at a time. You want to be sure that the system is secure enough that what you want to disclose is disclosed and what you don't want to disclose is not disclosed at all. I think it will be very hard to come up with a single policy across the board that everyone agrees on, because you will have the ACLU on one end and you will have Secretary of Defense Donald Rumsfeld on the other.
So you think everything will take care of itself? That there is nothing to worry about?
There is never nothing to worry about. But each issuance of identity and use of that identity should be done in a way that is the result of a mutual agreement. That agreement--once entered into--cannot be violated.
Some people will voluntarily expose certain information to their employers, for instance. Those who don't want to expose any won't have to. But to function in society, you need to disclose some information. Entering a password is by definition disclosing information to people whom you decided to disclose it to. It lets us securely disclose what we want to disclose and make sure that we don't disclose what we want to keep private.