Securing the flow of U.S. transportation workers for TSA across all 50 states

The US Transportation Security Administration (TSA) is the federal agency responsible for security in all modes of transportation. A workforce spanning air traffic controllers, dock workers, US Coast Guard and millions of other transportation workers across the US.

THE CHALLENGE

TSA were looking to issue a tamper-resistant biometric credential to maritime workers requiring access to secure port facilities and vessels.

A key driver for TSA was to meet US Government Homeland Security Presidential Directive 12 (HSPD-12) standards, to achieve interoperability with other federal identity access management and implement a best practice workforce digital identity process.

Obtaining a Transport Worker Identification Credential (TWIC) smart card must provide biographic and biometric (fingerprint information), sit for a digital photograph and pass a TSA security threat assessment.

Key requirements:

• Use of FIPS 201 (PIV) technology and processes
• Combined centralized production with local card activation
• Over 160 distributed enrolment and activation centers throughout the US
• Integration with central card personalization bureau for secure printing
• Fingerprint verification of applicant prior to card activation Integration with central identity management infrastructure
• Multi-application card combining contact and contactless technology
• Strong authentication of operators and non-repudiation of operator actions

THE SOLUTION

MyID® credential management system (CMS) integrates within TSA’s federal identity management solution to provide a single software platform for end-to-end identity registration and credential issuance to TSA workers’ smart cards.

Without a TWIC card transport workers are not able to gain access to secure facilities and networks, a system that means the US Transportation Security Administration can have total confidence that only approved personnel are able to access secure buildings, systems and networks.

The MyID software is passed registration data from the IDMS and formats it into a card personalization request; this is forwarded to the personalization bureau. Printed cards are locked and sent to activation locations. The receipt of a card batch is used to trigger a notification to the applicant that their card is ready for activation. The applicant visits an activation location, places their card into a MyID activation station and follows a simple
self-service workflow that requires biometric verification before the card is unlocked, personalized with certificates and activated for use.

How MyID works for TSA

1. The port worker applying for the card visits one of over 160 distributed enrolment centers where their fingerprints, photographs and data are captured.
2. The registration system passes registration data to MyID via the lifecycle management API.
3. MyID takes the registration data and formats it for bureau production.
4. MyID batches up card requests and passes them to the card personalization bureau for production. During this process MyID can be used to enquire on the status of the production requests.
5. The bureau prints the cards and writes the applets and data to them. The cards are then locked for security purposes.
6. The card is shipped to an enrolment center in a batch.
7. MyID is used to record the delivery of the batch of cards into the enrolment location. This process triggers a notification to the port worker that their card is ready for collection.
8. The port worker attends the enrolment center and is handed their card for activation.
9. The port worker takes their card to a MyID self-service activation kiosk.
10. As the card is inserted into a reader MyID recognizes the card as requiring activation and walks the user through a simple activation process.
11. During the activation process MyID validates the port worker’s identity via a fingerprint check.
12. Once validated the card is unlocked and the port worker sets their PIN.
13. MyID then generates keys and certificate requests on-card.
14. MyID passes the certificate requests to the certificate authority and retrieves the certificates.
15. MyID writes the certificates to the card
16. The process is complete – the card is available for immediate use