Identity management has become an increasingly important method of protecting assets, data, and premises by organizations, many of which have thousands of workers on their payroll. Making matters worse, these workers include not only full-time employees but temp workers and contractors as well. Determining whether these people are who they say they are and allowing them access to critical areas or secure networks has become a major focus for end users, who can be aided by advanced technologies such as multifactor authentication.
Identity management has become an increasingly important method of protecting assets, data, and premises by organizations, many of which have thousands of workers on their payroll. Making matters worse, these workers include not only full-time employees but temp workers and contractors as well. Determining whether these people are who they say they are and allowing them access to critical areas or secure networks has become a major focus for end users, who can be aided by advanced technologies such as multifactor authentication.
Identity management is a growing sector. A recent Research and Markets report indicated that the industry stood at a size of US$5.1 billion in 2013 and is expected to hit $10.4 billion in 2018, translating into a compound annual growth rate of 15.1%. Growth is driven by strong demand from organizations seeking to protect premises and sensitive data from intruders. Being able to identify people accurately is critical, especially for large enterprises that maintain thousands, if not tens of thousands, of workers around the globe. Further, the roles assumed by workers have become more diverse. For enterprises nowadays, staff does not just include full-time employees but also part-time workers, temp workers, and contractors. The need to effectively manage these workers and grant them access to company premises or data has therefore spawned advanced management solutions. “The process of managing identities and authorizations should be straightforward and user-friendly in order to manage many different identities quickly, while at the same time decreasing the chance that human mistakes occur,” said Arjan Bouter, Head of Sales at Nedap Security Management. “If you use temporary staff to make the most of seasonal peaks, you set (the system) so they're only authorized to access your production facility for a specific period. When this period ends, their access rights are withdrawn automatically.”
.jpg)
Multifactor authentication
Multifactor authentication involves vetting one's identity based on two of the three factors: “what you know” (a password), “what you have” (a card or token), and “what you are” (biometrics). It has become an important identity management method, especially for access into critical areas. “Organizations with high security requirements such as financial institutions and government agencies tend to adopt multifactor authentication to grant access. For example, the Department of Defense in the U.S. has incorporated fingerprint biometrics and facial images into its common access card (CAC), which controls entry to DoD facilities and information systems,” said Jordan Cullis, Head of Identity Assurance for APAC at HID Global.
Components
The need for multifactor authentication arises amid the sense that using one single factor is not sufficient to prove one's identity. “Single factor is normally an RFID token ‘what you have' factor. These are easily shared or lost, and they do not guarantee identity,” said Steve Bell, CTO for Security at Gallagher. “Adding a PIN does provide a much higher certainty of identity.”
Most experts agree that passwords are an ideal second factor that is relatively inexpensive and easy to deploy. “For instance, there are many readers that have a keypad built in, and they are wired in the same fashion as those without. In this way, the readers can use a passcode and smart card for dual authentication without the added installation cost of installing two separate readers,” said Jeremy Earles, Credentials Business Leader at Allegion. The third, and final, layer of security is biometrics, which identifies a person based on his or her biological attributes. “Biometrics is available with different ways, like fingerprints, finger veins, or facial recognition,” said Tom Su, Sales Manager at Hundure Technology.
While effective, concerns over biometrics continue to linger. One of the major issues is cost, which could be twice as much as a standard card reader. “Adding biometrics may additionally require a network connection to the reader, as biometrics templates are larger data packets. It will be more expensive,” Bell said.
There is also an inconvenience factor, especially for people in a hurry to get to work. Furthermore, “some people don't like to use biometric readers for personal hygiene reasons and feel reluctant to put their hands or fingers on something that everyone else has touched,” said Jerry Cordasco, CTO at AMAG Technology.
According to Bouter, eye identification — based on retina or iris recognition — offers the best accuracy and gives good identification results. “The better you understand the various benefits and shortcomings of a biometrics system, the better prepared you are when it comes to the implementation of that system,” he said.
Multifactor vs. Single-Factor
Choosing between single-factor and multifactor authentication is an act of balancing between cost, convenience, and the risk level of the end user organization.
“Many public sector organizations and banks need to be open to the public, while their employees have to be separated from this same public by a ‘Chinese wall' of heavy security. And, in the same organizations, behind this wall, employees have to be authorized for different areas or rooms. In these cases it can be worthwhile installing PIN or iris-scans to your access security,” said Bouter. “This doesn't really work in locations like hospitals or offices, where many people enter and leave the building frequently. In these situations, the security threat shouldn't be the only factor that determines access security; the type of organization and the system's users are equally important. If ease of entry is of greater value than security, then a PIN or biometric system simply doesn't work.”Ultimately, the number of factors to grant access to employees depends on the user's needs and requirements.
Physical and logical access integration
While identity management solutions can effectively control who can enter a physical premises, they can also control who should enter a company's network, where sensitive information is kept. And in the same way multifactor authentication is used to grant users access into a building, it can be used to authenticate users seeking to log on to the company's network.
“Each level of identity verification adds a further layer of protection. Seventy-two percent of network intrusions in 2013 exploited weak or stolen credentials. Strong authentication technology significantly strengthens the fabric of the layered security,” said Jennifer Dean, Identity and Access Marketing Communication Manager at Gemalto. Integrating both physical and logical access on a single device, be it a card or mobile phone, has become more common. There are many benefits, with ease of management being one of them. “You can terminate an employee, and someone could take their access to the building out. But if somebody forgets to take their access to the network out, they are still able to log into the network and cause damage,” Cordasco said. “It's just the simplicity for managing the top-level identity that draws people to physical and logical access integration.”
With near-field communication (NFC), authenticating users for physical and logical access via their mobile phones becomes a possibility. “If we see the adoption of NFC being the key to go forward, the future is such that for any company with NFC capability on their door latches, the central server that controls those can be connected to other servers. Once those connections are in place, your phone will allow you to open door at your company and log on to PC,” said Andy Kemshall, Co-Founder and Technical Director at SecurEnvoy. But NFC has yet to become a norm, due to several reasons. NFC-enabled phones are still a novelty, with Wired Magazine predicting that by 2016, only a quarter of Americans will have NFC smartphones. With this, companies may decide that investing in NFC-based access and identity management technologies is not worthwhile. Security also plays a role, especially with increasing prevalence in phone hacking. Pointing an NFC-enabled phone to a malicious NFC tag may allow hackers to take control of that phone, which nowadays contains lots of user information like social security number and credit card number.
Collaboration With IT
Since most integrators are more proficient at physical access, integrating physical and logical access requires cross-departmental communication and cooperation. “The integrator will have to collaborate with the customer's logical access team and the physical access team as they used to operate independently. Bringing all the parties together at the beginning of the project and communicating the project goals and its impact on team's funding are critical,” Dean said.
Peace of mind
Modern ID management solutions, supported with multifactor authentication, can effectively determine whether people are who they say they are. Access to company facility or network by those who are not supposed to can be prevented, and end users can take comfort in the fact that their important company assets are protected.