Proven products for all card rollout, helpdesk and authentication requirements of the banking sector

Currently, it is typical that bank employees are provided with virtual desktop sessions from a terminal server farm. And it is often the case that Citrix® XenApp™ or XenDesktop™ solutions are used. Furthermore, at the employees’ workplaces
slim computers are used, so-called thin clients, which can be administered centrally.

The thin clients, with either Windows or an economic alternative operating system like Linux, e.g. IGEL Linux or eLux, are the front-ends for all logon processes.

The requirements on the logon processes vary from country to country and [German] Land to Land and – as I’m sure you have guessed – from bank to bank.

Nevertheless, it has become widely known and it has now become mandatory almost everywhere, that a secure employee authentication requires a powerful PKI-linked two-factor or multi-factor authentication.

This means that the whole range of password-based logon processes, from logons by password alone, via logons by password and user ID , to the fairly impressive authentication solutions by OTP (one time password) are on the retreat and are being squeezed out by powerful authentication solutions.

The basis for a powerful authentication, a public key infrastructure (PKI), is delivered more or less free of charge with the Microsoft server technology and it is also perfectly integrated, which means that there is no point in the banking environment in using external trust centres for secure smart card logon solutions.

As manufacturers of proven products for all card rollout, helpdesk and authentication requirements of the banking sector, we feel at home on this terrain.

Core components of the product suite for the bank sector:

  • A flexibly configurable card management system with which various card rollout strategies can be implemented, and with which smart cards can be optically, contact-based and contacless personalised and be monitored over the total smart card life- cycle.
  • Flexibly usable helpdesk modules for unlocking smart cards and issuing replacement cards via distributed networks and large distances
  • Smart card PKI logon solutions for Citrix environments, powerful two-factor or multi-factor authentication solutions with smart card and PIN and/or biometric features
  • Support of complex user authentication scenarios for cashier activities

For the smart card and PIN products we also provide solutions with Secure PIN Entry. For these solutions the secure input of a PIN takes place at a card terminal PIN pad. In this case the PIN is transferred directly from the PIN pad to the smart card and not via a potentially insecure USB cable.

For the smart card PKI biometric logon solution the authentication is not carried out with possessions (card) and knowledge (PIN) but with possessions and being, e.g. with fingerprints, hand vascular pattern and iris or face recognition.

Fingerprint match-on-card solutions

Banks who “like it biometric” use our fingerprint match-on-card solutions.

SEFIROT has specialised in authentication solutions with smart card and fingerprints. The smart card is a secure store for your fingerprints and also for checking the prints when the finger has been placed on the smart card itself.

Decentralised capture of employee fingerprints

Most banks have a network of branches. In this case it helps if the centralised productions and issue of employee IDs is decoupled from fingerprinting. This is the way we do it. Fingerprint capture can be decentralised in the branches subsequent to the production and issue of smart cards.

For this purpose we have the product SEFIROT Biometrics Client. Designed as an offline component, this product is a highly secure mobile unit for the decentralised capture of fingerprints and the direct storage of reference images on the smart card enabled for this purpose and inserted for the case concerned.

Other features of the biometric solution for the financial area:

  • Reference fingerprints are stored exclusively and securely on the smart card, i.e. there is no centralised and security-critical storage of fingerprints.
  • Checking a fingerprint “match code” takes place on the smart card itself and not external to the card.
  • The smart cards have user certificates and RSA key pairs so that after a successful fingerprint check only a secure PKI-linked authentication takes place, i.e. passwords are never ever used again.

Support of complex user authentication scenarios for cashier activities

Counter and cashier systems are fitted with peripheral equipment which you don’t find at workplaces of other bank employees. This equipment can take up to 20 minutes to warm up from the switched off state. For this reason cashier applications are often operated under a group account, e.g. the account of a user for general technical applications. This means that once a day the warm-up cannot be avoided. After that the equipment is no longer switched off but access to it at breaks and shift changes is locked and subsequently unlocked.

Apart from the logon of the group account, users must also logon to their own user account at the cashier’s workplace and be able to change over between these sessions at all times.

With our smart card authentication solutions for the counter and cashier area, group and individual user accounts can all at the same time be addressed and controlled.

We are specialised in complex authentication requirements for cashier activities – known in [German] savings banks as “BSB-S” user cashier scenario – which includes the behaviour of applications and sessions for card actions like inserting or removing a smart card.

Our smart card solutions for the counter and cashier area are matched precisely to the processes and workflows, and ensure that these take place securely and efficiently.

Multi-functional ID for optimal workflows in the financial institution

There is no doubt that when implementing a smart card PKI logon solution – a powerful multi-factor authentication solution – in financial institutions we account for all topics which can be covered by a smart card fitted with a contact chip and contactless technology (RFID).

Instead of having to lug a set of cards around, it’s much better to use a single multi-functional smart card.

If so desired, we can construct a smart card in such a way, that apart from the crypto contact chip any RFID components required by the client (Mifare, Legic, Hitag, and others) are integrated in the card.

Apart from the powerful authentication at the workplace computer the cards can be used for cashless payments in the canteen, for opening cabinets and doors, for logging on for time recording, and for other applications.

We add and code the RFID components either in advance or hand over to our customers the coding units and plug-ins for the card management system, so that the smart cards can be personalised at the customer’s premises.

A printer and coding machine is also necessary to enable the optical, contact-based and contactless personalising of the smart cards to be carried out in the financial institution.