8

This seems to be a question that blurs the line between physical and IT security, but I'm hoping it's relevant enough!

In order to meet with PCI standards, our company recently switched from an open door with after-hours hand scanner, to an RFID+Security badge system.

I was just informed today (it wasn't part of our training procedures, hooray!) that keeping the RFID key fob on the same lanyard/chain/etc as ones ID badge is verboten. Now to me this seems absolutely pointless and probably more dangerous, because now if either my fob or badge is stolen it seems that the reasonable assumption would be "Oh, I just misplaced it/forgot it/it fell off in my car/etc."

Is there any valid reason to prohibit physically connecting (e.g. sticking them on the same keyring) the identification mechanism (my badge) from the authentication mechanism (my fob)?

Community
  • 1
Wayne Werner
  • 1,755
  • 3
  • 15
  • 20
  • Perhaps related: http://security.stackexchange.com/questions/14514/what-are-the-risk-tradeoffs-of-all-in-one-smart-ids-vs-using-a-separate-hardw – Iszi Sep 04 '12 at 12:41
  • Definitely related, though it specifically gives reasons why you might want to have separate devices, and not why you might (not) want to prohibit their being attached to the same keyring. – Wayne Werner Sep 04 '12 at 12:57

2 Answers2

5

Yes, because if you have them together and lose them anyone could walk in with your credentials. Security guards rarely match faces to cards, chances are anyone looking remotely like you would have free access.

Here's a scenario: Employee A is going on vacation for 2 weeks. During his celebratory drinks he drops his ID+tag dongle, which he also has his unencrypted company issued USB memory stick also conveniently connected to. Unsavory character 1 picks up this handy combo, and seeing that his friend, unsavory character 2, looks a lot like this drunken idiot, and overhearing that he's going away for 2 weeks, decides to give it to UC2, who uses it to steal all sorts of company property. That's why having both together is a very bad idea.

GdD
  • 17,291
  • 2
  • 41
  • 63
  • Even though my face doesn't match their face? – Wayne Werner Sep 04 '12 at 13:00
  • 2
    See my edit, security guards rarely actually look. – GdD Sep 04 '12 at 13:02
  • Depends on where you go / if your guards are trained to do so. If you feel you need the security, make the guards check everybody. – Jeff Ferland Sep 04 '12 at 13:28
  • We don't have security guards, just employees ;) – Wayne Werner Sep 04 '12 at 13:34
  • It's a multi-layered approach to security. Even the best trained and most vigilant security guards can miss things sometimes. If you can't assume perfection you need more depth. – GdD Sep 04 '12 at 13:34
  • It seems like it would be preferable (at least for FT employees) to have the credentials lost together. Because then I *have* to go to the front desk where (if we're doing the right thing) they would log that I've got a temp tag. Then if my ID is used it should raise flags and alarm bells. I think now it just ensures a greater time between "I lost X" and the company realizing it. – Wayne Werner Sep 04 '12 at 14:23
  • There are far larger issues here since the only way that the two being lost together should be an issue is if both represent what you have. This means that the use of both doesn't add anything meaningful to the overall security of your work environment. It sounds like a broken security policy that needs fixing. – AJ Henderson Sep 04 '12 at 17:50
  • In fact really, the root of the question was what is the meaningful security benefit. There isn't one. If the security in place does not make the ID badge an effective biometric (and therefore useless if found by someone who is not the user), then we are looking at a system that is two kinds of things you have which is not meaningfully more secure than requiring one thing you have. – AJ Henderson Sep 04 '12 at 17:55
3

It sounds kind of like they themselves may be doing it wrong. For PCI compliance they are probably had to put in a two factor authentication system. The idea with two factor authentication is that you must use 2 out of the 3 basic factors. (Who you are, what you know, what you have.) The idea is that while it may be easy to get any one of these things, it is harder to get two of three and too intensive to go for three of three.

In the ID badge + RFID, it is really just two of what you have, particularly if there are no guards. Without some mechanism to actually check the a)validity of the badge and b)the biometrics match (typically both done by a well trained guard or some automatic biometric equipment checking a database) then it really just becomes two items of what you have. Having two of the same type of factor does very little to provide additional security as both could be compromised in the same manor. You still need them with you and it would be a simple matter of a mugging to get both.

In fact, the very idea that they do not want the ID badge and RFID together indicates that they are aware that it is really two things you have since if it was either who you are or what you know, then there would be no risk to a lost token and an id badge.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110