Companies using access badges to secure physical access to (parts of) their premises increasingly ask for the ability to use the same badges for access to their network and applications. Usually it's the IT department expressing this wish, looking as they are for a solution to the many and complex passwords that end-users have to remember. It is possible to fulfil this wish using Single Sign On in combination with authentication management.
There are two ways of combining physical and logical access: using Single Sign On or with certificates /PKIs. PKI is not contactless, making it an expensive solution. Ed Dijkers, Sales Director at OmniCard BV, explains: “When companies want to send encrypted emails or implement encrypted access, we recommend that they use a PKI structure. They will then be dependent on a contact-based crypto chip. But most companies want to achieve quick and easy logins for their end-users. That's when we advise them to start with the basics and implement a Single Sign On solution.”
Two-factor authentication
With Single Sign On based on an access badge, all combinations of user names and passwords are replaced. Users can present a badge to a reader and optionally enter a PIN code, and are then logged in to Windows automatically. The Single Sign On solution will take care of all the subsequent login procedures automatically, so that users can open all their applications immediately. When they remove their badge or present it to the reader again, they will be logged out. This is a solid means of authentication, as it is based on something that the user owns (the badge) and something the user knows (a PIN code). This is also known as two-factor authentication.
“We are frequently asked whether physical access badges are also suitable for providing network access,” comments Dijkers. “Virtually all badges currently available in the market provide support for combining logical access and Single Sign On. MIFARE Classic, MIFARE DESFire EV1 and HID Prox are just a few examples. These badges can also be used to pay in the canteen or for follow-me printing.”
The Kennemer Gasthuis hospital in the Netherlands has created a link between physical and logical access providing support for Single Sign On. Gerard Hensels, the hospital's IT & Medical Technology Manager, explains how their end-users benefit: “Our healthcare staff were faced with lengthy start-up times for the applications they used. To avoid having to log in and out of applications all the time, they resorted to all sorts of workarounds, for example sharing the same account. We are currently running a pilot with some 100 users who use their MIFARE company badge to log in to their applications.
“Users can log in by swiping their badge across the reader. Then they can even have their open sessions follow them to another PC. Presenting the badge to the reader for that machine will give them access to the applications they previously opened, within just a few seconds. This is particularly vital for departments under time pressure, such as emergency rooms.”
Link with the HRM system
From a security perspective, it's not desirable that employees can link any Myfare/RFID badge to the system so as to log in to their workstation. Single Sign On can offer a link to the HRM system, so it can be checked whether the badge a user wants to link has been registered in the badge system and is valid (i.e. unblocked or not flagged as lost). Similarly, access badges can be deactivated in good time when an employee's contract is terminated. If new users enter the organisation, a badge will be assigned to them automatically. The Dutch Municipality of Lelystad is an example of an organisation that has implemented a link with the iProtect security management system. Users are matched against Windows Active Directory automatically. This means they can only gain access to the municipality's buildings if they are listed as ‘active' users in Active Directory. Links with the HRM system or Active Directory can be created with provisioning software.
Information on the physical presence or absence of staff members can also be processed in real time in the organisation's online phone directory. Since the security management system knows employees have entered the building using their pass, it can synchronise this information with a system feeding an Intranet.
Where there are escalations, companies may want to block or unblock an access badge immediately. With a special portal, they can delegate certain tasks to employees (usually security staff) who have no access to the HRM system or service management system. Besides blocking and unblocking badges, it is possible to register a new employee, change a pass number or issue a temporary badge if the original badge is lost. In this case the existing PIN code will remain active. This delivers additional security, as the helpdesk does not know or get to see the PIN code. The end user will also only be able to use the temporary badge.
Follow-me feature
Single Sign On technology is developing at a lightning pace. One of the latest innovations is the Follow Me feature, which can be used by organisations with a Virtual Desktop Infrastructure (VDI), e.g. a combination between VMware View 4.5 and Citrix XenApp. One of the advantages of VDI is that sessions can easily follow the user from one desktop to the next. But this process is delayed because users have to enter their username and password and perform various actions to connect to their desktop. This is far from efficient in organisations where end-users switch desktops multiple times a day, such as in hospitals. The Follow Me feature makes it possible to resume work in the applications opened on the previous machine. Particularly for medical specialists, who have to do the rounds and need access to a variety of computers, this yields substantial time efficiencies. All users need to do is hold their badge against a reader. They will then be connected to the opened session automatically within just 8 seconds.
Smartphone-based authentication
Using a smartphone as a means of authentication is a logical step, as end-users almost always carry their mobile devices. Two-factor authentication with a smartphone is a sound alternative to the more expensive token solutions, since no costly additional hardware is required. Using Identity & Access Management software, the unique ID of the end-user's smartphone can be linked to the login process. When the end-user logs in to the company network internally or remotely, the following takes place. The user enters his or her username and PIN code in the login screen. The login system will ask the smartphone for confirmation. A pop-up will be displayed on the user's smartphone, prompting them for a confirmation of the login. After the user has confirmed, the login process is resumed and the user is successfully logged in.
Since smartphones offer multiple authentication capabilities, in future there will be lots more possibilities for implementing strong authentication using smartphones, such as geolocation or voice recognition