Alliance Activities : Publications : RF Technology Best Practices

Best Practices for the Use of RF-Enabled Technology in Identity Management

With the current debate and concern about technology implementation for identity management, the Smart Card Alliance advocates these best practice guidelines for use of radio frequency (RF)-enabled technology for identity management. Smart card-enabled RF technologies supported by the Smart Card Alliance are able to provide these security and privacy protections.

Implementation Principle

Any application involving the verification of an individual’s identity and the use of RF technology must include appropriate security techniques throughout the identity verification system to ensure the confidentiality, integrity and validity of identity information when data is being stored, transported, or accessed. This protects the individual by ensuring that all information remains secure and confidential.

The following best practices are strongly recommended:

Security: Ensure use of appropriate security

  1. Implement security techniques, such as mutual authentication, cryptography and verification of message integrity, to protect identity information throughout the application.

  2. Ensure protection of all user and credential information stored in central identity system databases, allowing access to specific information only according to designated access rights.

  3. Verify identification credentials for both integrity and validity.

Personal Privacy Protection: Provide notice, disclosure and ability for redress

  1. Notify the user as to the nature and purpose of the personally identifiable information (PII) collected–its usage and length of retention.

  2. Inform the user about what information is used, how and when it is accessed, and who has access to it.

  3. Provide the user with a redress mechanism to correct information and to resolve disputes.

  4. Utilize the minimum PII needed to satisfy the application and no more.

  5. Ensure use of the PII only for the purpose originally disclosed.

  6. Ensure that the user has provided explicit consent for the operational use of the credential in all application scenarios.

  7. Educate the user on their responsibilities for using and safeguarding the credential and for reporting a lost or stolen credential.

In addition to the recommendations above, organizations issuing government identity credentials also need to consider Federal and state regulations for information privacy when implementing an identity verification system.

The Smart Card Alliance recommends that all applications of RF technology for identity management consider the needs of the credential holder as well as the issuer when implementing an RF-enabled identity management system and embrace these security and privacy guidelines.

About the Smart Card Alliance Identity Council

The Smart Card Alliance Identity Council is focused on promoting the need for technologies, legislation, and usage solutions regarding human identity information to address the challenges of securing identity information and reducing identity fraud, and to help organizations realize the benefits that secure identity information delivers. The Council engages a broad set of participants and takes an industry perspective, bringing careful thought, joint planning, and multiple organization resources to bear on addressing the challenges of securing identity information for proper use.

Click here for additional information about the Identity Council.