Transportation worker ID moving ahead (TWIC)


From SecureIDNews -- Link

Pilots concluding but final access control policies still more than a year out

John Schwartz, program manager for the Transportation Worker Identification Credential (TWIC), was going to begin an update on the program with the words "eight-years ago," but then thought better of it. It has been that long since Congress mandated that the Transportation Security Administration (TSA) create a credential for secure access to ports, and the agency is still working on the roll out.

It will most likely be 2012 before there are widespread readers electronically verifying the credentials, Schwartz said during a presentation at the Interagency Advisory Board meeting in September. But while critics dismiss the credential as an expensive flash pass, progress has been made toward wide-scale electronic verification at ports.


The TSA reports that at 135 enrollment centers across the country, 1.7 million workers have been enrolled and of those 1.6 million have activated their ID.

Schwartz and his team are working on a congressionally-mandated reader test that will lead to the final rule for reading the TWIC. His team has done testing in the lab, in the field without looking at the impact on a port's business processes and finally in the field while considering at the impact on business.

Through lab testing the TSA approved 28 readers and associated systems, Schwartz says. The lab tests looked at reader performance in different environmental conditions, extreme hot and cold temperatures, water and humidity, as well as durability tests.

The 28 approved readers include two alternative biometric systems. If a port can show a chain of trust in enrolling a worker in the local physical access control system, it is acceptable to use an alternative biometric, such as iris, to access the facility.

TWIC follows the FIPS 201 specification but diverges in the utilization of biometric and contactless technologies. In order to access the biometric on a TWIC a cardholder must be enrolled in the local physical access control system first. That means the TWIC privacy key, which is storied on the card's magnetic stripe and chip, must be registered into the local physical access control system before it can be read using the contactless interface.

This is different from other PIV credentials where the biometric is accessed only via the card's contact interface. TWIC modified the FIPS 201 spec for its use because port operators demand high throughput and PIN protected contact interface reads were deemed too time intensive.

For the field-testing, Congress instructed that the readers be used in at least five distinct geographic locations to test the business processes, technology and operational impacts.

The sites selected for the tests needed to be from a broad spectrum of operations and climates, Schwartz says. The final report on the testing was due in April but implementing specifications and identifying volunteer ports delayed the project.

The TSA received $8.1 million to provide independent testing, data collection and analysis, Schwartz says. The ports, terminal and vessel operators received $23 million in security grants with $15 million for the pilot and the remainder held in reserve for future reader deployments.

While $15 million may sounds like a lot of money to spend on readers, it wasn't spent just on that technology, Schwartz explains. Cabling, updating infrastructure and deploying physical access control systems had to be done in many instances for the system to work.

The tests have already generated some important lessons, Schwartz says. There have been challenges integrating the TWIC readers into different physical access control systems.

The messaging from the readers needs to be standardized and made to be visible in all environments, Schwartz says. He cites the example of a card rejected by a reader without an adequate error message. "If the card gets an error the guard would tell the worker they need a new one when it may not have been registered in the PACS or something more minor," Schwartz says.

There have also been issues with creating a standard for the information processing. The TSA has determined that the sequences for authenticating the card, checking the registration in the physical access control system and checking the hot list all need to be done in the same sequence.

The read range of the contactless readers has been problematic too, Schwartz says. Ports that used proximity cards previously are reeducating workers that the card may need to be held closer to the reader than with the prior technology. The cards, which come with plastic sleeves, also have to be removed from the sleeve to be read in some instances.

Educating cardholders on how to take care of the credential has been a learning experience, he says. Some truck drivers will keep the credential around the rearview mirror in the sun and this can damage the chip and antenna.

Explaining the hot list, or revocation list, has been problematic too, Schwartz says. A worker will lose the card, call the number to report it lost at which point it is placed on the revocation list. If the worker finds the card a day or two later and tries to use it, it is flagged port security is alerted.

Other problems have included general installation issues including electrical power fluctuations, physical reader placements that are too high, too low or too far from worker, and slow turnstile and gate mechanism responses.

The TSA is planning to deliver a report with the test findings to Congress in 2011, Schwartz says. After that the U.S. Coast Guard, which is responsible for enforcing TWIC, will make a rule for ports and port operators to follow. That will most likely not be until 2012.

Because of the delay in the final rule most port operators are opting to wait before deploying TWIC reading systems, says Walter Hamilton, senior consultant at ID Technology Partners. Port operators could deploy the systems now but are afraid they will have to retrofit or tear out technology depending on the rule.

But some reader manufacturers have given guarantees that if they opt for the maintenance package the vendor will guarantee compatibility with the final rule, Hamilton says. "It give the maritime operators some level of comfort," he says.

The TSA is looking to solve some other logistics issues as well, Schwartz says. Enrollment and card activation services for remote locations can be a hardship for some areas. Workers have to show up once to apply for the credential with all the appropriate documentation and then show up again a few days later to receive and activate the card.

This has been problematic in areas where the enrollment center is far from the port or port worker's home, he explains. Congress has questioned the TSA on this, asking if the credential can be mailed but the FIPS 201 standard doesn't allow the ID to be mailed. TSA is looking at other alternatives to solve this problem.

The durability of the credential has been another problem, Schwartz says. The card is tested before leaving the central production facility and before leaving the activation center, but there have been problems with card failures in the field.

Without the presence of a TWIC team member with card analysis tools, it has been difficult to determine whether the problem is with the card, the reader or the access control system at the facility.

The TSA is considering a move from a 72K chip to a 144K chip, Schwartz says. Before the change is made official, however, they are verifying that no other system changes will be necessary and that there will be little or no impact on production and reader equipment.

The TWIC road has been a long and arduous one, ultimately taking more than a decade from mandate through roll out to electronic verification of the credential. But one day soon U.S. ports may have the increased security originally envisioned by TWIC initiators.

Recent Entries

Best Buy Express to add 100 kiosks in the next year
Minneapolis -- Best Buy Co.'s Best Buy Express plans to add nearly 100 kiosk locations in the next year spread over…
Transportation worker ID moving ahead (TWIC)
From SecureIDNews -- LinkPilots concluding but final access control policies still more than a year outJohn Schwartz, program manager for…
ADA Discussion on Kiosk Industry Group
MikeStop FollowingADA Compliance?A customer sent me this link for a recipe kiosk. (I have no affiliation.) The link takes you…
Virtual Desktops - The Right Medicine for Healthcare IT
by Mathew Hegarty  -- More and more healthcare organizations are turning to virtual desktops to address their challenges with the management, security…
Looking at VistA EHR and VA
Timely brief on VistA which is the EHR software available from the Department of Veteran Affairs.  With the recent activity…
Subway may be the first fast-food chain to utilize 2D barcode technology.
Its newest marketing scheme allows customers to use their mobile phones to collect redeemable loyalty points off of Subway products. Subway's…
Payment processing trends: What every operator should know
While there are many trends in the credit and debit card industry, security is the trend that most restaurants should…
PepsiCo in Recycling Push
Worried that most of its bottles and cans are going into the trash instead of the recycling bin, PepsiCo Inc.…
Embracing the Self-Service Economy
The past decade has witnessed a rapid growth in self service that allows consumers to take on the traditional role…
Integrating Self-Service Kiosks in a Customer-service System
Most hospitality companies have been implementing service channels with a goal of reducing costs, increasing customer satisfaction and loyalty, and reaching…
Integrating Self-Service Kiosks in a Customer-service System
Executive Summary:Most hospitality companies have been implementing self-service channels with a goal of reducing costs, increasing customer satisfaction and loyalty,…
Integrating Self-Service Kiosks in a Customer-service System
Vol 10 No 6By: Tsz-Wai Lui Ph.D. and Gabriele Piccoli Ph.D.Executive Summary:Most hospitality companies have been implementing self-service channels with a…
Wireless - Dawn of a brave new world for 4G
Natasha Royer Coons managing director, TeraNova• 09 Apr 2010Over the past five years, the evolution of wireless networks to 3G data speeds,…
Everybody Wants it for Free Syndrome
From SSKA Blog -- Twice a year there is a nice study on "Top Ten Mistakes of Kiosk Deployment" and…
Ariane Systems group to develop mobile self-service platform for the hospitality industry
PARIS, France, 19th March 2010 - Ariane Systems VIKI project selected in Aug-2009 and partially financed by the ERDF (European Regional Development…
Flaws in chip and pin bank card security identified
Scientists have identified security flaws in chip and pin technology that they say are so serious as to require a…
Self-service trends in 2010
Craig Keefner • 05 Jan 2010By the end of 2009, there were almost 30,000 DVD-vending kiosks deployed, with more on the way.…
Radiant Being Sued by Restaurants for violating PCI Compliance
Radiant being sued not over it's Aloha system which is PCI-validated but over the use of PC Anywhere.Restaurants Sue Vendor…
Lessons Learned From PCI Compliance
Assessors reveal mistakes companies make with data security standard. -- To help companies get ready for a an evaluation, we asked…
2009 Encryption and Key Management Industry Benchmark Report
Report from trust catalyst detailing the trends and obstacles to data encryptions, applications affected, and why it's important (average cost…



  |