October is a busy month—in addition to being “Inktober,” “Filmtober,” and the month that gave us Jeff Goldblum—it happens to be National Cyber Security Awareness Month. We’d be remiss if we didn’t use this opportunity to talk about the intersection of cyber security and ID badge technology.
We often present smart cards as an answer to the need for increased security. But, we have become increasingly aware that many clients don’t actually understand why or how smartcards increase security. Therefore, many organizations who could benefit from this strong technology do not benefit from it.
Multi-factor authentication (MFA) is simply requiring a user present more than one piece of evidence that they have the right to access something. You are probably, in fact, aware of this as it becomes increasingly the norm for online services. Rather than requiring you to simply present your password, you may notice being asked to also give a PIN sent to your mobile device. Such two-factor authentication helps to significantly reduce phishing attempts, or guessed passwords.
You might, at this point, ask what this has to do with smart cards. As it would seem, when using a smart card you are simply asked for a PIN to confirm your identity (in fact, sometimes a PIN isn’t even required). Your smartcard is, in fact, usually using MFA (or, at least, incredibly strong single factor authentication) even if you don’t realize it.
Smart cards often provide digital signatures with every exchange. To do this, there’s typically a private key stored in your card, and a public key which is available to anyone. These keys are unique to each ID badge.
Source: Wikimedia Commons
To authenticate the holder of a badge, the smart chip (using really cool math) combines a simple message with the private key. These are combined in a way which makes it impossible to determine the private key. But, as the math would have it, the public key can be used to determine if the combination was indeed made with the correct private key.
So, simply put, when you present a smart ID card as proof of identity, there is math behind the scenes which confirms that that card is indeed the original. It is not falsifiable, because there is no way for someone to counterfeit (or know) your private key.
Why is this better than a PIN?
A PIN is a secret both the parties know. The verifier needs to know the PIN to verify it. So, if the verifier’s information is compromised, anyone could present the PIN as proof of identity. In contrast, only the smart card knows the private key. It doesn’t matter, in fact, who has the public key that the verifier uses—it’s public after all!
So, every piece of data in your servers could be hacked and your smart cards will still not be compromised—the private key only being known by the physical card. This is cool (and extremely useful).
This also makes smart cards considerably more secure than the two-factor authentication used by Facebook, say. Often, MFA introduces more shared secrets (such as PINs or passwords) instead of adding a digital signature. This is why smart card tech is so powerful for identity management, and why we are quick to suggest it for access control or in any case where identity verification is paramount.
More than just for physical access
We are talking about cyber security after all. It is increasingly the case that access to digital information needs to be more secure than access to physical locations. Your computer systems, most likely, already support the use of smart cards as a way to grant access to computers, or certain files.
If your employees already carry ID badges, introducing this technology as a security measure doesn’t add any real encumbrance. So, perhaps it is time to increase cyber security though your ID badge program.