The industry is moving to access control architectures that enable users to carry multiple secure identities on a single card or phone for applications beyond physical access control, including “tap in” multi-factor authentication, also known as strong authentication, writes Julian Lovelock, pictured, Director of Product Marketing, Identity Assurance with HID Global.
A key ingredient is short-range wireless communication, such as Near Field Communications (NFC) and Bluetooth Smart. These technologies are required for smart cards and smartphones to ‘present’ credentials to a reader, and also enable smart cards to be tapped to tablets or laptops for authenticating to a network or application – a capability that may also become possible with smartphones.
NFC has taken the lead for tap-in strong authentication. Already a standard feature in smartphones and laptops, NFC is steadily becoming available in smart cards. With NFC, users can gain access to resources by simply ‘tapping in’ – without the need to enter a password on touch-screen devices, or requiring additional devices to issue and manage. Users can tap-in to facilities, VPNs, wireless networks, corporate Intranets and cloud- and web-based applications, as well as SSO clients.
These benefits and the range of potential applications – with the fact that manufacturers are enabling more and more phones, tablets and laptops with NFC — are driving many companies to seriously consider a mix of secure mobile physical and logical access in their facilities and IT access. The objective is not simply to substitute one credential form factor for another across isolated use cases, but rather to use mobile technologies to build unified solutions for ensuring secure access to the door, to data and to cloud applications.
Authentication
Strong authentication combines something the user knows (such as a password) with something the user has (such as mobile and web tokens), and can also be extended to include a third factor in the form of something the user is (which can be ascertained through a biometric or behavior-metric solution). Users have grown weary of the inconvenience of hardware One Time Passwords (OTPs), display cards and other physical devices for two-factor authentication. Also, OTPs are useful only for a limited range of applications. The industry is now replacing hardware OTPs with software tokens that can be held on such user devices as mobile phones, tablets, and browser-based tokens. With software OTPs, organisations are able to replace a dedicated security token with the user’s smartphone, enabling the two-factor authentication to grow in popularity and convenience. A phone app generates an OTP, or OTPs are sent to the phone via SMS. However, there are security vulnerabilities with software OTPs that have driven the need for a far more secure strong authentication alternative, such as smart cards based on the Public Key Infrastructure (PKI). The downside to this approach, however, is its high cost and level of complexity to deploy.
NFC offers many benefits for tap-in strong authentication applications as it becomes a standard feature of smart phones, tablets and laptops targeted at the enterprise market. It is poised to not only eliminate the problems of earlier solutions, but also offer an opportunity to achieve true convergence through a single solution that can be used to access IT resources while also enabling many other applications. These include such physical access control applications as time-and-attendance, secure-print-management, cashless vending, building automation, and biometric templates for more factors of authentication – all delivered on the same smart card or NFC-enabled phone alongside OTPs, eliminating the need to carry additional tokens or devices. Historically, physical and logical access control functions were mutually exclusive, and each was managed by different groups, but now, the lines between these groups will begin to blur, especially as credentials converge onto smartphones.
Convergence
Within five years, we should see smartphones becoming an integral part of the ecosystem for the creation, management and use of secure identities. In some instances phone will replace cards, but in many others they will supplement cards to enable a more secure and user-friendly experience. The use of smartphones to receive digital credentials and ‘present’ them to readers will co-exist with existing capabilities to generate OTPs for accessing network or cloud- and web-based applications. Users will simply take the same card or phone they use for building access and to open parking gates, and use it in conjunction with a personal tablet or laptop to authenticate to many IT resources.
Users will appreciate the convenience of combining mobile tokens with cloud app single-sign-on capabilities, a model that blends classic two-factor authentication with streamlined access to multiple cloud apps on a single device that users rarely lose or forget. Plus, these converged solutions reduce deployment and operational costs by enabling use of physical access control credentials to add logical access control for network log-on. Smartphones also are ideal for delivering multi-factor authentication capabilities as part of multi-layered security for the most effective threat protection.
As BYOD continues to grow in popularity and many cloud-based applications are accessed from personal devices, enterprises will need to take a layered approach to security, recognising that no single authentication method is going to address today’s multiple devices and use cases.
