Access Badges: The link between physical and logical access

Written by

Organizations using access badges to secure physical access to (all or part of) their premises increasingly ask for the ability to use the same badges for access to their network and applications.

In some cases, the cards also serve multiple purposes, such as employee IDs, time and attendance cards or parking access. Usually it’s the IT department expressing this desire, as its members are looking for solutions to the many and complex passwords that end users must remember. Also, it is possible to fulfil this wish using single sign-on in combination with authentication management.

There are two ways of combining physical and logical access: using single sign-on, or with certificates/PKIs. PKI is not contactless, making it an expensive solution. When companies want to send encrypted emails or implement encrypted access, some recommend a PKI structure. They are then dependent on a contact-based crypto chip, but most organizations want to achieve quick and easy logins for their end users.

Two-factor authentication
With single sign-on as part of an access badge, all combinations of user names and passwords are replaced. Users can present a badge to a reader and optionally enter a PIN code, and are then logged in to Windows automatically.

Virtually all badges currently available in the market provide support for combining logical access and single sign-on. In many instances, to avoid having to log in and out of applications all the time, some employees resort to all sorts of workarounds; for example, sharing the same account.

With access cards, however, users can log in by swiping their badge across a reader then they can even have their open sessions follow them to another PC. Presenting the badge to the reader for that machine will give them access to the applications they previously opened, within just a few seconds.

If a badge is lost, the security risk is minimized because of the fact that a PIN is required to gain access to a computer and the network. When an employee goes for a replacement, the old card can be de-activated, further mitigating the risk. Additionally, some organizations impose a time period that a PIN can be utilized.

Link with the HRM system
From a security perspective, it’s not desirable that employees can link any badge to the system to log in to their workstation. Single sign-on can offer a link to the human resources management (HRM) system, so that is can be checked whether the badge a user wants to link has been registered in the badge system and is valid and not flagged as lost. Similarly, access badges can be de-activated quickly when an employee’s contract is terminated.

If new users enter the organization, a badge is assigned automatically. Users are matched against Windows Active Directory automatically, meaning they can only gain access to the municipality’s buildings if they are listed as “active” users in the organization’s employee log. Links with the HRM system or Active Directory can be created with provisioning software.

Information on the physical presence or absence of staff members can also be processed in real time in the organization’s online phone directory. Since the security management system knows employees have entered the building using their pass, it can synchronize this information with a system feeding an intranet.

Where there are escalations, organizations may want to block or unblock an access badge immediately. With a special portal, they can delegate certain tasks to employees (usually security staff) who have no access to the HRM system or service management system.

Besides blocking and unblocking badges, it is possible to register a new employee, change a password or issue a temporary badge if the original badge is lost. In this case, the existing PIN code will remain active. This delivers additional security, as the helpdesk does not know or get to see the PIN code and the end user also will only be able to use the temporary badge.

Smartphone-based authentication
Using a smartphone as a means of authentication is a logical step as end users almost always carry their mobile devices. Two-factor authentication with a smartphone is a sound alternative to the more expensive token solutions, since no costly additional hardware is required.

Using identity and access management software, the unique ID of the end user’s smartphone can be linked to the login process. When the end-user logs in to the company network internally or remotely, the following takes place. The user enters his or her username and PIN code in the login screen. The login system will ask the smartphone for confirmation. A pop-up will be displayed on the user’s smartphone, prompting him or her for a confirmation of the login. After the user has confirmed, the login process is resumed and the user is successfully logged in.

Multiple commercially available applications are in existence to handle the confirmation of the login. Companies also need to have a good mobile device management (MDM) application to handle wiping of lost devices. While the risk of someone using a lost device to access the network is minimal – they need to know the correct login URL along with the user name and PIN – by remotely wiping a device or removing the phone identifier from the MDM, the risk is lowered considerably further. With the use of personal devices, a remote wipe is usually up to the owner, removing the phone identifier will prevent the delivery of the confirmation prompt.

Since smartphones offer multiple authentication capabilities, in the future there will be a significant increase in possibilities for implementing strong authentication using smartphones, such as geolocation or voice recognition.

What’s hot on Infosecurity Magazine?