The most cost-effective and secure credential for all identity and access enterprise-wide
Organisations typically have many different systems that require user identity verification, such as secure logon to the IT network, the release of documents from printers, controlled access to buildings and restricted areas, as well as cashless canteen vending.
Making it possible for each staff member to use just one credential for all these identity and access applications not only makes life easier for them, which aids their productivity, but also strengthens security across the organisation by enforcing behaviours that ensure protective measures are not circumvented (such as users leaving unlocked workstations unattended, or allowing other people access using ‘loaned’ IDs).
Furthermore, having just one user identity database for all applications, enterprise-wide, avoids wasteful resource duplication and significantly reduces overall costs.
Smartcard-based network logon security can readily be implemented within an organisation by leveraging the strong two-factor authentication infrastructure that has long been built-in to successive generations of Microsoft operating systems. Using this standards-based PKI technology allows the same cards and infrastructure to be used for other applications, including disk encryption, email encryption and digital signatures.
Contact smartcard chips are ideally suited to PKI-based applications, providing the ‘gold-standard’ in security by utilising private keys which are generated and stored securely in the chip, protected against external access, and never shared. The chip hardware from established manufacturers includes design features that prevent keys from being extracted, even if probed by an electron microscope, and so achieve certification to the highest international standards, such as EAL 5+ and FIPS 140-2.
‘Hybrid’ smartcards combine a separate contactless RFID interface chip with a contact PKI chip in the same card body. This enables the best choice of standards-based contact and contactless technologies to be selected for an organisation’s specific requirements. ‘Dual interface’ cards are also available, which employ a single chip rather than the multiple chips used in hybrid cards, but the limited choice available do not support the common RFID technologies required for most applications of door access control and follow-me printing.
Mobile device based credentials appear to offer a convenient alternative to having to issue each staff member with smartcards, they do however introduce the burden of managing and maintaining multiple apps and device platforms; a task that becomes even more complex as these proliferate over time.
Issuing employees with smartcards commonly supports wider site security requirements, as they can be printed on for use as an easily recognisable company ID, bearing a photo of the user and worn on a lanyard.
The actual security of any digital credential ultimately depends on how well its encryption keys are protected. As mentioned already, contact smartcard chips have been certified to the highest security standards. Mobile devices support 2FA by hosting various app and cloud-based implementations of cryptographic algorithms; such software-based solutions are at greater risk from malware attack and the security of encryption keys depends very much on the particular mobile device and OS in question.
While mobile credentials solutions have become increasingly available, across an ever widening range of identity and access applications, their adoption is currently limited by their far greater cost in comparison to well-established and reliable smartcard solutions.
Security benefits of converged credentials
Combining the identifications required for both logical access and physical access in to a single ‘converged credential’ facilitates the streamlining of steps in staff on-boarding and off-boarding, helping avoiding the very common process breakdown that leaves former employees with access to an organisation’s systems and data. The scale of this issue has been illustrated in several surveys over recent years; typical of these is a 2017 survey(*1) completed by 500 IT professionals in the U.S which revealed:
- 48% are aware that their organisation has problems with de-provision access for ex-employees.
- 20% of the total group surveyed identified these failures resulted in a data breach.
Staff always tend to find the most expedient ways of getting their work done, even if short-cuts may result in security vulnerabilities. For example, the benefits of two-factor authentication for securing IT access can be negated by users leaving PCs logged-on while they’re away from their desks.
Issuing each staff member with a single card for IT-access as well as opening doors (amongst other uses) naturally compels them to always carry their ID-cards with them at all times. Microsoft Windows can be configured using a standard Group Policy to either lock a workstation, or log the user off completely, when a user’s smartcard is removed from an attached reader. IT access is then automatically secured when the user goes elsewhere – to pick-up a coffee or collect a document from a printer perhaps.
The greater the number of applications that the converged credential is used for, the more indispensable it becomes to personnel; resulting in credentials with photo-ID being reliably worn by staff moving around a site, and quashing the practise of lending colleagues IDs to allow them unauthorised access to controlled areas or resources.
Similarly, fully-online and integrated door access control systems can be used to ensure that users can only log on to their PC, or access other IT resources, if they have badged through a door, thus eliminating most ‘pass-back’ and ‘tailgating’ issues with access cards.
Because hybrid smartcards combine separate chips within a single card form factor, it’s possible to configure the solutions to an organisation’s specific needs; using established technology standards that provide the flexibility to integrate with an extensive range of identity and access applications.
Contactless applications, including building access, can make use of up-to-date technologies, such as DESFire, iCLASS and SEOS, which support mutual authentication with card readers before transferring encrypted identification information. Older RFID chip technologies rely on a simple manufacturer chip serial number or a programmed identification number which is not protected from being read by any reader, making them vulnerable to card cloning attacks. Multiple RFID chips can also be incorporated, to support migration from legacy to modern access control systems, and/or multiple systems.
Card Management Systems (CMSs) help organisations deploy and manage smartcards quickly, efficiently and securely. Hybrid cards comprising contact and contactless chips, each used for multiple applications, can be managed easily with CMS tools that connect to enterprise directories, certificate authorities, card printers, and more.
Dot Origin is an independent supplier and developer of identity based security solutions - specialising in two-factor authentication, PKI, smartcard, mobile, biometric and other credentials, with unique capabilities in unifying and strengthening physical and IT-access controls.
Contact us for impartial advice on the benefits of a converged identity and access management solution for your organisation.