Skip to Content

I have written an article in the past on mobility and security. Back then, it was a bit of a rant on the daily run-ins I had with security, whenever mobility came to the table. I was only confronted with “Not allowed”, and never got a viable alternative. The only message was: “You need strong authentication”. Whenever I asked “Why?”, I got the answer “Because it’s the only safe way”. Today I would like to make an alternative proposal myself. As usual, it’s a mash-up of existing technologies, applied in a completely different way.

Giant security flaw

In the previous document, I referred to bank-cards and their 4-digit pin code. If those 4 digits are sufficient for your bank-account, then why would 4 digits not be enough for your mobile, laptop, printer,…? You can also access the building via your access badge, but what if you lose that badge? Apparently, that is not considered as a problem. People can however come in, steal laptops, acquire confidential documents, drink your free coffee… So my analysis was: “Why are we so paranoid about mobility, while leaving all other doors wide open?”

The fact that all other doors are still wide open must not be a reason to neglect mobility, but much rather, I would like to look at a solution that secures your mobile in a user friendly way, but also your laptop, your building access, your document printing…

Access badge

Let’s go back to that access badge for a second. You swipe the badge across a reader and magically, the door unlocks. In my opinion, that’s not much of a security measure. Lose the card, and someone else can access the building with your badge. That’s why many companies have a security guard at the reception, or camera’s to monitor who enters. In my opinion, you need the card, and a personal pin code to unlock the door. Afterall, the card itself only identifies you, it doesn’t authenticate you. Just like your bank-card requires a pin code to authenticate you, an access badge should too.

Mobile

Those badges work via RFID tags and communicate over NFC (Near Field Communication). It just so happens that a lot of smartphones these days, support NFC and can read such RFID tags. So theoretically, you could use these access badges to identify yourself to your phone, and additionally enter a pin code to authorize yourself. This means you can also clearly separate your personal and professional use. Swiping the badge initiates the professional profile. Simply waking your phone initiates the personal profile. You don’t even have to pull the badge from your wallet. NFC works within a range of 1 foot, so simply holding your phone near your wallet, or pocket, should do the trick.

One big drawback here is that most tablets and the Apple products do not yet support NFC. Bummer! However, there are alternatives. Given that the badge only identifies you, there are other possibilities as well. A QR code which you print on the badge and which contains the same info as the tag for example. You can then use the camera to scan your badge, enter your pin and you’re in. Not really the best solution, I admit, but rumour has it that the iPhone 5 might have NFC functionality.

Laptop

Let’s take the concept of the “Access Badge” a step further. Most business laptops these days, have a card reader. So put a chip on your access badge and you can plug it in to your laptop to identify yourself. From a security point of view, you still have to enter the pin code before you are actually in. This is a technology which is already used today. I’ve seen it already here and there.

Printer

What about all the documents you print on a daily basis? Some of these documents are highly confidential. If someone picks them up at the printer, it could spell trouble. Some printers support secured printing. It means that nothing is printed until you are physically at the device and enter your user id and pin code. Again, the access badge can assist you. Simply swipe the badge over the reader, enter your pin and your document rolls out. Interesting about this solution, is that you don’t know the printer name either. You just send your print job to a central system and the printer where you swipe your badge pulls the job in and processes it.

From a user point of view, they’ll probably say: “We like the idea of a single badge for all access rights, but drop the Pin code.”

The security team will probably say: “We like the idea of a single badge for all access rights, but you need a pin and an RSA token.”

Let’s meet up in the middle, shall we?

Authorizations

Because the card identifies you, you could integrate this with a central “Identity Management”. It’s not only about access, but also about authorizations. You could create authorizations for different buildings and rooms. This can be very useful to deny access to the server room, automatically book a meeting room, or it can be great fun when blocking access to the restrooms.

Integrating the Identity Management with your Mobile Device Management, you can filter access to certain websites, block mobile apps, allow mobile email, restrict access to corporate resources etc…

On your laptop, it can call up the correct profile and arrange your authorizations to SAP, Websites, allowed software, local rights,…

If you push it really far, you can even add labels to documents (classified, restricted, internal, open,…) and manage who gets to print which type of documents. So when you try to print a hyper sensitive classified document, the printer essentially tells you to bug off because you’re not allowed to print that.

Limit risks

Suppose you lose that super important card and someone else finds it. Panic!! Well, not really because the card alone is not enough. As long as they also don’t have the pin code, there’s no problem. Stay cool, call security, tell them your username and ask them to block the card. One click and the card can’t be used for building access, document printing, laptop access, mobile phone,…

What about the grave danger of a stolen phone? Well, seeing as you must carry the card separate from your phone, the risk is low. It could be of course that certain people carry the card together with the phone in a pouch, or that someone manages to scan your badge and replicates it. They still need the pin code however before they can get in. Pfiew, good thing we didn’t write the pin code on the access badge!

Turn the table

So theoretically, the single access badge could serve many purposes. It can even be used for identification on your mobile phone. Here’s a thought: If your mobile phone supports NFC, it can not only read a badge, but it can also send its own information.

Can’t we then use our mobile phone to replace the access badge?


Obviously, this does not solve the problem of securing your mobile, but it’s an interesting thought.

PS: Probably, my (yet another) crazy idea is not really viable. However, I am strongly convinced that enterprises must think about security in a new and much broader way than they currently do today. Instead of everyone having a narrow focus on a single area, enterprise security should be,… Enterprise-Wide.

To report this post you need to login first.

7 Comments

You must be Logged on to comment or reply to a post.

  1. Roger Latiegue

    Hello, great article. I am looking for a solution to integrate the access to building in the company to a central Identity Management system. Exactly the way you described not all the people in the company should have the same access to all the buildings. This information is already available in the authorizations management of SAP.

    Do you know any functionality in SAP standard or for a third provider?

    Thanks for any comment or guide.

    Roger

    (0) 
    1. Tom Van Doorslaer Post author

      I thought that netWeaver Identity management had indeed connectors for third party systems, but usually on the software layer. So I’m not entirely certain if they can also integrate with hardware scanners.

      But there’s bound to be some badge scanners which have a webservice mechanism to connect to “a system”.

      4 days ago, HID apparently launched something like that: (damn I’m visionary)

      http://www.hidglobal.com/main/media-center/releases/2012/09/hid-global-launches-secure-identity-services-industrys-first-comprehensive-offering-for-credential-p.html

      Access with badge, or NFC phone. Pin code enabled terminals. A set of webservices for self management (and presumably integration with authorization providers for the terminals as well)

      Normally, those terminals connect to a central system to see if your badge is valid, but I bet you can connect that central system to another provider (LDAP, NW ident mgt, Tivoli IM,…)

      cheers!

      (0) 
  2. Luke Marson

    Hi Tom,

    A good blog! I think there is a lot of food for thought in your article and some interesting points to support organizations thinking in a broader and long-term vision when it comes to security and authorizations.

    I’ve worked with the concept of authorization and authentication and often I see systems that purely authenticate any holder of the access “token” (a badge, for instance). Coincidentally I received a security pass at one of my current clients that does require a PIN code to be used with it at all major checkpoints – with exception to the entry barriers in the building reception.

    Organizations must ensure that authentication is considered along-side authorization of individuals for both electronic and physical access to information, data, assets, etc that are important and sensitive to the business.

    Best regards,

    Luke

    (0) 
  3. Frank Koehntopp

    Congrats on an awesome blog, Tom!

    It actually makes me furious – I have had silly discussions on why I think noone needs NFC, based on the stupid mobile payment use case.

    This is one I hadn’t thought of at all even though a) it’s my day job and b) scanning my SAP access card with the Nexus 7 was the first NFC thing I ever did

    “Biting my ***”, as we say in germany (excuse my french)…

    Frank.

    (0) 
    1. Tom Van Doorslaer Post author

      Just to show that sometimes you need someone with no clue whatsoever on a topic, to shine some new light 😆

      (I’m the guy with no clue. I just talk from a childishly naive context)

      (0) 
  4. Chiara Bersano

    Tom, I love all the food for thoughts. It is all true, and many of the solutions you are talking about are in use – here and there, but how come they aren’t (yet) industry standard?

    I’ve seen cameras identifying the car plates to grant access to the garage – eliminating the need for queuing up waiting for everybody to flash their badge (or realize they’ve forgot it). I’ve seen printers with a centralized queue, so that you could at the badge’s command print anywhere in the world.

    I really like the phone badge…

    But all this goes back to highlight how critical a good identity management will be – the more we integrate and simplify, the more we have to cover seamlessly onboarding and – more importantly – offboarding.

    (0) 
    1. Tom Van Doorslaer Post author

      Hi Chiara,

      I’m glad you like the article.

      Most (if not all) of the ideas I come up with, already exist somewhere. The big issue is that they’re all individual solutions. There’s no single solution that covers all of the areas.

      This seems to be a common problem with any technology.

      Take inhouse domotica for example. There are many different vendors for Light switch, thermostats, TV’s etc… But there’s very few central systems that manage to steer all of the individual technologies.

      It takes years and years to come up with a standard for integration (be it domotica, access badges or anything). Once the standard is there, it takes again years and years for all players to adhere to that one standard. (look at HTML, W3C and Internet Explorer)

      It’s only at that point in time, that integrated systems start to thrive.

      It’s the same with access badges, NFC communication and identity management systems. It’s only now, that NFC is gaining popularity on phones, that enterprises start to think of ways to integrate the identification with the authentication on a scale that surpasses the PC-login. An employee is more than just a user-id on a PC. It’s also a physical being in need of access to an office. He/she drives a car in need of a parking spot, or owns a phone which needs corporate access. He/she also signs documents, contracts, purchase orders, for which the right authority is necessary.

      It’s gonna take another few years before the idea becomes mainstream.

      (0) 

Leave a Reply