Hybrid smartcards are the most secure and cost-effective solution for providing staff with just one credential for all identity and access applications – making life easier for employees and strengthening security by enforcing desired behaviours.
Organisations typically have many different systems that require user identity verification in addition to building access control, such as secure logon to the IT network, the release of documents from printers and cashless canteen vending.
Making it possible for each staff member to use just one ID for all these identity and access applications not only makes life easier for them, which aids their productivity, but also strengthens security across the organisation by enforcing behaviours that ensure protective measures are not circumvented (such as by the loan of door access cards to colleagues, or by leaving logged-on computers unattended).
Furthermore, having just one user identity database for all applications, enterprise-wide, avoids wasteful resource duplication and significantly reduces overall costs.
Hybrid smartcards can combine a separate contactless RFID interface chip with a contact chip in the same card body. This enables the best choice of standards-based contact and contactless technologies to be selected for an organisation’s specific requirements.
Contactless applications, including building access, can make use of up-to-date technologies, including DESFire, iCLASS and SEOS, which support mutual authentication with card readers before transferring encrypted identification information. It’s also possible for multiple RFID chips to be incorporated, in order to support migration from insecure legacy technologies, or to accommodate completely separate physical access control systems.
Contact smartcard chips are ideally suited to PKI-based 2-factor authentication (2FA) security applications, such as network logon, disk encryption, email encryption and digital signatures. They provide the ‘gold-standard’ in security by utilising private keys that are generated and stored securely in the chip, protected against external access, and never shared. The chip hardware from established manufacturers includes design features that prevent keys from being extracted, even if probed by an electron microscope, and so achieve certification to the highest international standards, such as EAL 5+ and FIPS 140-2.
The actual security of any digital credential ultimately depends on how well its encryption keys are protected. As mentioned already, contact smartcard chips have been certified to the highest security standards. Mobile devices support 2FA by hosting various app and cloud-based implementations of cryptographic algorithms; software-based solutions are at greater risk from malware attack and the security of encryption keys depends very much on the particular mobile device and OS in question.
Mobile device based credentials appear to offer a convenient alternative to having to issue each staff member with smartcards, they do however introduce the burden of managing and maintaining multiple apps and device platforms, a task that becomes even more complex as these proliferate over time.
Issuing employees with smartcards commonly supports wider site security requirements, as they can be printed on for use as an easily recognisable company ID, bearing a photo of the user and worn on a lanyard.
While mobile credentials solutions for an ever widening range of identity and access applications have become increasingly available, their adoption is currently limited by their much greater cost in comparison to well-established smartcard solutions.
Security benefits of converged credentials
Combining the forms of identification required for both logical access and physical access, into a single ‘converged credential’, facilitates streamlined management and administration for critical process like staff on-boarding and off-boarding.
Card Management Systems (CMS’s) help organisations deploy and manage smartcards quickly, efficiently and securely. Hybrid cards can be managed easily with CMS tools that connect to enterprise directories, card printers, certificate authorities, and more.
Staff always tend to find the most expedient ways of getting their work done, even if short-cuts may result in security vulnerabilities. Issuing each staff member with a single card for door access as well as IT-access (amongst other uses) naturally compels them to always carry their ID-cards with them at all times, strengthening overall security by:
- Ensuring credentials with photo-ID are consistently worn by staff moving around a site.
- Quashing the practise of lending door access cards to colleagues.
- Automatically logging-off or locking computers whenever left unattended by users, who have to remove their ID card to pick-up a coffee or collect a document from a printer for example.
Hybrid smartcards allow organisation to mix-&-match established standard contactless and contact technologies to fit their precise needs; providing the flexibility to integrate with an extensive range of identity and access applications using just one ID card.
In addition, fully-online and integrated door access control systems can be used to ensure that users can only log on to their PC, or access other IT resources, if they have badged through a door, thus eliminating most ‘pass-back’ and ‘tailgating’ issues with building access cards.
For more information on converged identity and access management solutions contact Dot Origin:
+44 (0)1428 685 861