An IT manager would prefer that the private key be stored on the smart card. Even if the network is hacked, the key is not there; it’s on the smart card in the holder’s wallet or purse. If the smart card is stolen, the thief will still need the PIN code to generate a digital signature. (This reduces the security of the scheme to that of the PIN system, although only when the attacker possesses the card.)

Thus, it is easy to see why smart cards provide a strong security authentication for enterprise single sign-on (ESSO) within organizations. However, there still remains one problem with all the above. Access to the system starts with a PIN or a card, either of which can be stolen. That’s why there is a need for one more improvement that will really make the IT manager happy: biometrics.

Enabling an ESSO system with the latest generation of biometric sensors provides a more convenient and more secure solution. Biometrically-enabled electronic software suites further leverage the advantage. With the simple touch of a finger, users can log into multiple applications and provide an irrefutable audit trail.

Both access control and IT managers realize that necessary security solutions cannot interfere with employees doing their jobs effectively, efficiently and safely. With a biometrically-enabled ESSO, one simple enrollment allows multiple uses across the whole enterprise, from entering the employee-only area to going into the warehouse, even using the POS system or entering time and attendance data.

This holistic view of enterprise security is vital and provides an integrated identity management system that is much more reliable and cost-effective as it eliminates the problems of having multiple identities tracked over an ever-increasing number of disconnected access points.

Educate Clients on Government Standards

The world is changing and government programs, at the insistence of their IT managers, are adapting with new authentication requirements. The Department of Defense’s (DoD) Common Access Card (CAC) is a prime example of a card that is used for both physical and logical access control. It is a smart card issued as standard identification for active-duty military personnel, reserve personnel, civilian employees, other non-DoD government employees, state employees of the National Guard and eligible contractor personnel. These smart cards are to be used as a general identification card as well as for authentication to enable access to DoD computers, networks and certain DoD facilities.

HSPD-12 and its supporting FIPS 2
01 mandate requires that all federal government employees and contractors possess a personal identity verification (PIV) card and use that credential for access to all government facilities, including federal, DoD and port facilities. NIST guidance, known as SP800-116, requires that every government facility physical access control system (PACS) utilize the strong authentication features of the PIV credential.

The requirements of SP800-116 represent use of advanced credential and individual identity authentication that is outside of the scope of most existing access control readers. They require public key infrastructure (PKI) processing that transcends the operational capabilities of most physical access control infrastructures. Although fully functional and well within their operational lifespan, most installed physical access control systems fail to meet these credential verification and identity authentication requirements set forth by government identity programs in the United States.

As anyone in the security industry knows, government standards have a way of walking — sooner or later becoming required for contractors and a host of companies that serve them. Therefore, in order to do certificate validation or signature checks of data, your customers will demand more than the typical card reader used in today’s physical access control applications. They need more horsepower. By adding in certificate validation, everyone now knows that the card was created by a trusted source.

Adding signature validation tells all that the data on the card can also be trusted as never having been changed, not even one bit of data. With biometrics used to initiate use, the IT department now has a system that it can converge with the physical access control system.

Bill Spence is Vice President, Transactions, for Albuquerque, N.M.-based Lumidigm, a provider of fingerprint biometrics solutions. He can be contacted at [email protected].

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Related Content