Security and one card for many uses

The use of smart cards for door access control has been common for many years, but ensuring that they provide the expected levels of protection, and deliver the wider benefits they are capable of, requires a little in-depth understanding.

Unfortunately, the industry that has grown up around the supply of physical access systems has often made choices about using specific RFID technologies which are more about protecting their business models than protecting the people, buildings and assets of their customers. This has led to a lack of choice and flexibility when it comes to users benefiting from the ‘smart’ nature of their cards and being able to integrate these with other systems.

The opportunities that come from integrating access control contactless cards with other applications can deliver real value to organisations and their staff. Converging identity and access management across an organisation streamlines critical process like staff on-boarding / off-boarding and contractor and visitor access management, which improves security and reduces costs. Convergence also enables a layered security approach to be easily implemented; combating ever-mounting data security threats and meeting increasing compliance needs, such as PCI-DSS and GDPR.

Staff value the convenience of having a single smart card for multiple applications, making the cards less likely to be lost or misused, and more likely to be carried universally. Typical uses include photo-ID, physical access, follow-me printing, cashless canteen vending and secure two factor PC/network/VPN logon. Horror scenarios of secure logon cards being cut down and sticky-taped permanently into laptops can be avoided by ensuring that the same card is needed for other applications, such as buildings access and on-demand printing.

Exploiting the opportunities for improved management workflows, productivity and security through the convergence of multiple applications on to a single card requires organisations to be smart about smart cards, but the total cost of ownership benefits and rapid payback make the investment in addressing the details required well worth it.

Smart cards are not all made equal. When it comes to considering the security of the different RFID card-types themselves, many organisations are unaware of crucial information that means they are buying a compromised technology that no longer protects them adequately, because it can easily be copied, cloned or spoofed.

Even when using the most secure card technologies, organisations are often content to trust 3rd parties in their supply chain with critical card encoding information. Those organisations would certainly be unlikely to share their firewall or domain admin password with anyone else, but seem oblivious to the potential risks of sharing smart card encryption keys. To ensure full control over ‘the keys to the castle’ organisations need to take ownership of their specific encryption keys and carefully oversee the card encoding process.

With around 20 years experience of smart cards and two factor authentication we know it is vital for customers to be given a clear understanding of how different technologies compare, for example: just how much information can be gleaned from a card dropped in the street or left in the gym. Equally when it comes to deployment, of even the most secure technologies, we help customers to ensure their installation delivers the levels of security, integrity and flexibility required.

Smart card alternatives

Mobile and smart phone

Some smart card functions can be replicated on mobile devices, which is particularly good for convenience, as long as this is adequately managed and the risks understood. So just as in payments, where your contactless bank card details can be stored in your phone, so your door access credentials can be stored and sent to the door via NFC or Bluetooth when you walk up to a building. So while it is indeed possible, this technology is new, relatively expensive, and not yet open for use in multiple applications.

Currently it’s probably more appropriate to think of how smart cards can authenticate corporate network access from mobile devices, rather than how mobile devices can themselves provide identity authentication. In general mobile devices should be treated much the same as PCs and laptops – firstly in desperate need of centralised management and control, and secondly requiring appropriate levels of user authentication to ensure only secure access to sensitive data. This has been difficult to achieve until recently, partly due to the lack of native smart card support in most mobile operating systems, unlike conventional PC environment, but advances in the use of NFC and Bluetooth technology have now started to reach the market, along with matching secure app environments and SDKs. Compatible smart cards can now be tapped on mobile devices to authorise access to applications.

Wearables

For some applications personal smart card-like Bluetooth devices and wearables can now provide a convenient solution.

Biometrics

Best practise in the use of biometric identity verification relies on a smart card to securely store an individual’s biometric profile; this can then be inserted into a biometric reader and used to quickly and reliably validate the scan taken by the reader. This approach is preferable to trying to centrally match a biometric scan to a database of profiles, which can be time consuming, or relying on a complete database of profiles stored in a reader located outside a secure area.

In summary

Traditional mechanical locks simply cannot provide scalable solutions that can cost-effectively deal with lost or stolen keys, nor can they provide the flexibility to control where and when people have access, in addition to who has access.

A single physical device, such as a smart card, is a great tool for controlling access to both buildings and data; increasing security and supporting compliance. Costs can also be reduced across multiple departments through the extension of their use to additional applications, which makes them more convenient for staff and thus more readily adopted. However, the details of the technology being used must be properly understood and implemented with care.

The EdgeConnector access control solution works with an extensive range of industry standard card types, supporting the latest and most secure technologies as well as the commonest RFID tokens in use. This means existing cards and card reader hardware can normally be re-used, whilst allowing step-by-step migration to more secure and more versatile card technologies (such as iCLASS and DESFire) or hybrid PKI smart cards suitable for secure PC logon.

• Wireless locks with built-in card readers, from the comprehensive Aperio range, support iCLASS and DESFire cards.
• Wired  EdgeConnector  door  controllers  are  compatible  with  any  readers  supporting the Wiegand or Clock and Data interface standards, which opens up a  wide-range of card  and reader choice, including biometric and pin-pad options.