5

In many organizations these days, employee IDs are very mutli-functional. They can serve as:

  • Visual identitiy verification. (Including employee photo, name, ID number, and other details on the face)
  • Building access control. (Via RFID, prox card, bar code, magnetic strip, or smart chip)
  • Computer access control. (Smart chip)
  • Encryption & digital signature certificate storage. (Smart chip)

All of these functions can be conveniently packed into one card, no larger or thicker than a common credit card. However, it may be more practical to some if the latter two functions were separated. Instead of a completely all-in-one solution, perhaps they could have one badge used as their visual ID and building access control, and another badge (or other hardware authenticator) used for certificate storage and computer access control.

What would be the risk tradeoffs between these?

Iszi
  • 26,997
  • 18
  • 98
  • 163

2 Answers2

4

WRT to smart card being used as an authentication factor for computer access, the private key on the smart card can be protected by a PIN/password. So the smart card auth can also provide the additional factor of "what you know" in addition to "what you have."

For most users, the risks are acceptable when compared to the cost of managing provisioning/distribution and operation of multiple sets of physical authentication tokens. I've seen people in different organizations and consultants carry around a chain of smart cards and usb tokens for the various organizations they are consulting for. Granted, offering a service provider model for identity management is still a while away, there's a trend to offer simpler auth models (i.e. outsourced second factor auth, openid, hoth, etc).

For higher risk users or locations, I often see additional factors for authentication. For example, three factor is fairly common (biometric, card, pin, weight). In addition, I've worked with organizations where I only need to present a card + biometric in a mantrap during business hours but after business hours, I also need to use an additional factor. In addition, high risk users usually are subject to additional segregation of auth keys versus signing keys. So, there's a second device used to contain a non-repudiated signing key to authorize certain transactions.

Organizations and users with very sensitive information leverage additional controls that sacrifice simplicity and speed for security. Even a simple mantrap takes longer to auth a user than turnstyle.

With that said, organizations that consolidate all functions are usually larger in size with multiple physical locations. Such organizations can realize cost savings by consolidating into one vendor, one card, etc. Though I'e seen more small-medium organizations go the route of consolidated access control, they are few and far between (password's are still common and by far, cheaper than implementing hardware auth).

If anything, security 101 includes a long blurb and discussion on defense-in-depth. Consolidating functions don't necessarily open up more risk as long as risk is identified and managed.

bangdang
  • 1,824
  • 11
  • 9
0

Why would you want to separate the two? You could do this with a PKI Contactless dual interface card and reader, or just deploy contact cards for those who need extra security in sensitive environments.

Using a contactless card with 13.56 MHz technology and a compatible reader is great for advanced authentication for users who need to have second factor. If the employee has access to generic programs on the system, then it doesn't make sense to spend more on a dual interface card for this user. They would be fine with a regular contactless card.

However, some users have access to highly sensitive information and may need something much stronger. This can be achieved with the contact smart card that has the gold chip embedded on it's surface, or a dual interface card that is PKI enabled and looks like a regular contactless card without the gold chip, and allows the user to have both forms of security. These cards are much more expensive, and that can be cost prohibitive across the board.

A good solution to this is to map out what users access what programs, and then decide who would benefit from using the more expensive cards, and stick with the cheaper ones for those who don't.

The cost is the major factor for not using two separate badges, and it is more for the user to have to keep up with.

The company I work for has software that will manage all of this for most types of cards and readers, and the software contains other features that can be utilized as well like risk-based authentication, emergency access, self-reset of PIN and PKI Certificates, etc. You have many options here.

Iszi
  • 26,997
  • 18
  • 98
  • 163
Lynn Kinsey
  • 1
  • 1
    I haven't seen contactless cards used much for authentication on computer systems. More often, you'll have to physically insert your smart card. The issue there comes when the user leaves for lunch and forgets their card in the computer and can't get back into the building. – Iszi Aug 17 '12 at 16:55
  • @Iszi: Not that that's ever happened to anyone...right? – Scott Pack Aug 17 '12 at 17:00
  • I do know of an org that uses the same smartcard for building entry and exit **and** desktop access. Which means you do tend to keep your card with you. They wouldn't ever use a contactless one though - too high a risk of a contactless reader :-) – Rory Alsop Aug 20 '12 at 14:18