I have written an article in the past on mobility and security. Back then, it was a bit of a rant on the daily run-ins I had with security, whenever mobility came to the table. I was only confronted with “Not allowed”, and never got a viable alternative. The only message was: “You need strong authentication”. Whenever I asked “Why?”, I got the answer “Because it’s the only safe way”. Today I would like to make an alternative proposal myself. As usual, it’s a mash-up of existing technologies, applied in a completely different way.
Giant security flaw
In the previous document, I referred to bank-cards and their 4-digit pin code. If those 4 digits are sufficient for your bank-account, then why would 4 digits not be enough for your mobile, laptop, printer,…? You can also access the building via your access badge, but what if you lose that badge? Apparently, that is not considered as a problem. People can however come in, steal laptops, acquire confidential documents, drink your free coffee… So my analysis was: “Why are we so paranoid about mobility, while leaving all other doors wide open?”
The fact that all other doors are still wide open must not be a reason to neglect mobility, but much rather, I would like to look at a solution that secures your mobile in a user friendly way, but also your laptop, your building access, your document printing…
Let’s go back to that access badge for a second. You swipe the badge across a reader and magically, the door unlocks. In my opinion, that’s not much of a security measure. Lose the card, and someone else can access the building with your badge. That’s why many companies have a security guard at the reception, or camera’s to monitor who enters. In my opinion, you need the card, and a personal pin code to unlock the door. Afterall, the card itself only identifies you, it doesn’t authenticate you. Just like your bank-card requires a pin code to authenticate you, an access badge should too.
Those badges work via RFID tags and communicate over NFC (Near Field Communication). It just so happens that a lot of smartphones these days, support NFC and can read such RFID tags. So theoretically, you could use these access badges to identify yourself to your phone, and additionally enter a pin code to authorize yourself. This means you can also clearly separate your personal and professional use. Swiping the badge initiates the professional profile. Simply waking your phone initiates the personal profile. You don’t even have to pull the badge from your wallet. NFC works within a range of 1 foot, so simply holding your phone near your wallet, or pocket, should do the trick.
One big drawback here is that most tablets and the Apple products do not yet support NFC. Bummer! However, there are alternatives. Given that the badge only identifies you, there are other possibilities as well. A QR code which you print on the badge and which contains the same info as the tag for example. You can then use the camera to scan your badge, enter your pin and you’re in. Not really the best solution, I admit, but rumour has it that the iPhone 5 might have NFC functionality.
Let’s take the concept of the “Access Badge” a step further. Most business laptops these days, have a card reader. So put a chip on your access badge and you can plug it in to your laptop to identify yourself. From a security point of view, you still have to enter the pin code before you are actually in. This is a technology which is already used today. I’ve seen it already here and there.
What about all the documents you print on a daily basis? Some of these documents are highly confidential. If someone picks them up at the printer, it could spell trouble. Some printers support secured printing. It means that nothing is printed until you are physically at the device and enter your user id and pin code. Again, the access badge can assist you. Simply swipe the badge over the reader, enter your pin and your document rolls out. Interesting about this solution, is that you don’t know the printer name either. You just send your print job to a central system and the printer where you swipe your badge pulls the job in and processes it.
From a user point of view, they’ll probably say: “We like the idea of a single badge for all access rights, but drop the Pin code.”
The security team will probably say: “We like the idea of a single badge for all access rights, but you need a pin and an RSA token.”
Let’s meet up in the middle, shall we?
Because the card identifies you, you could integrate this with a central “Identity Management”. It’s not only about access, but also about authorizations. You could create authorizations for different buildings and rooms. This can be very useful to deny access to the server room, automatically book a meeting room, or it can be great fun when blocking access to the restrooms.
Integrating the Identity Management with your Mobile Device Management, you can filter access to certain websites, block mobile apps, allow mobile email, restrict access to corporate resources etc…
On your laptop, it can call up the correct profile and arrange your authorizations to SAP, Websites, allowed software, local rights,…
If you push it really far, you can even add labels to documents (classified, restricted, internal, open,…) and manage who gets to print which type of documents. So when you try to print a hyper sensitive classified document, the printer essentially tells you to bug off because you’re not allowed to print that.
Suppose you lose that super important card and someone else finds it. Panic!! Well, not really because the card alone is not enough. As long as they also don’t have the pin code, there’s no problem. Stay cool, call security, tell them your username and ask them to block the card. One click and the card can’t be used for building access, document printing, laptop access, mobile phone,…
What about the grave danger of a stolen phone? Well, seeing as you must carry the card separate from your phone, the risk is low. It could be of course that certain people carry the card together with the phone in a pouch, or that someone manages to scan your badge and replicates it. They still need the pin code however before they can get in. Pfiew, good thing we didn’t write the pin code on the access badge!
Turn the table
So theoretically, the single access badge could serve many purposes. It can even be used for identification on your mobile phone. Here’s a thought: If your mobile phone supports NFC, it can not only read a badge, but it can also send its own information.
Can’t we then use our mobile phone to replace the access badge?
Obviously, this does not solve the problem of securing your mobile, but it’s an interesting thought.
PS: Probably, my (yet another) crazy idea is not really viable. However, I am strongly convinced that enterprises must think about security in a new and much broader way than they currently do today. Instead of everyone having a narrow focus on a single area, enterprise security should be,… Enterprise-Wide.