Converged Access Control and IAM
Recently, I began a journey to identify a solution that could bring together our facility access control and primary multifactor authentication in a single unified credential. While it's fairly simple concept at the core, there are numerous intricacies to make this concept operational in reality.
So where do you start? The first step is to identify your current access technology. By discovering this, it will help you determine what combination of technologies you will need in a new credential.
Next is to identify what technology you'd like to use for computer authentication. Some of the most common authentication technologies are PKI CAC, FIDO2, and SEOS. While each of these technologies has it's own characteristics, it's important to understand the benefits and limitations of each.
Today, most organizations that are using convered credentials are using PKI. This is because the Federal Government established the standard in the early to mid 2000s. While PKI is the most robust, it also has some draw backs. To start, PKI requires a significant investment in certificate services infrastructure. It's critical as each card will contain a user certificate unique to that person. By issuing user certificates, you are now the certificate authority and will need to publish a public CRL to confirm certificate validity to third parties. Additonally, host an ADFS farm for federation with cloud providers. While microsoft does have built-in support for Smartcards, it is limited. Many companies end up purchasing third-party middleware to help bridge the gaps.
Another option is to utilize integrated HID technologies like iClass, SEOS, Proximity, etc. While this may be an easier method to deploy, there are significant security implications inherent in technologies like HID Prox. Additonally, they require third-party middleware applications that don't always follow open standards.
The third technology I mentioned is FIDO2. FIDO2 is the new comer on the block, but it is quickly becoming a favorite amongst the largest service providers. FIDO is an open standard being established by the FIDO Alliance. This is it’s biggest strength. The alliance has gained support of Microsoft, Amazon, Apple, Bank of America, Paypal, and many others. Because of it's partnerships, it is becoming the gold standard for passwordless identity. FIDO works by creating a unique private/public key-pair for each service you registar with a FIDO token. That private key is then locked and secured by a PIN or biometric for a 2nd factor. The public key is shared with the service provider for future authenciation requests.
By creating individual public and private key certificates for each service, you no-longer need to host a certificate authority, CRL, or federation farm for your credentials. Each credential can be used with a variety of services, limiting the need for dedicated infrastructure and the potential for security vulnerabilities. In fact, many identity providers (Okta, Azure AD, Etc) already natively support FIDO2 credentials for 2nd factor and passwordless authentications. By leveraging integrated functionality inside Windows 10 and Azure AD, you can authenticate using NFC Contactless, Contact, and USB FIDO2 authenticators without the need for any third-party middleware. By leveraging WebAuthn FIDO2, credentials can be used for a myriad of web applications across devices and all major browsers.
As I am sure you can tell by now, I am partial to FIDO2. The reason is simple, it is the open standard that is being adopted quickly by the technology industry as a whole. Operating systems, browsers, and web appliations vendors are working together to ensure compatibility across a wide variety of end user experiences.
By leveraging a credential that contains both FIDO2 and SEOS, we are able support a wide variety of applications and use cases. HID also supports the abilty to add legacy technologies such as HID Prox. This can be extremely useful when working through a transition of external devices like time-clocks or printers. Enter the HID Crescendo C2300. The C2300 is the ultimate embodiment of a converged credential. These credentials support combining FIDO2, SEOS, and Prox.
In testing, I discovered many little nuances. Below are a few examples of things I ran across.
- With the middleware TecTango installed, when certain models of Getac laptops are put to sleep, the card reader does not operate on wake due to a powerstate setting on the integrated reader.
- When using multi-technolgy cards, the card postioning may become very specific to operate under contactless conditions. In this example, with a Dell Precision laptop with an integrated reader, the card needs to be placed in specific alignment to read. One solution is to use the contacted interface vs NFC.
3. On certain Getac models, you may need to disable the smartcard reader from the credential providers list, to allow the laptop to successfully read via NFC/FIDO2 constantly.
In all the testing I performed, the HID Omnikey readers functioned flawlessly. I have yet to run into any software incompatibilities, and the placement of the cards does not seem to have a significant impact on the readers ability to read them. I've tested both the 5022 and 5023 Omnikey readers.
The most important take away I can give you is test, test, test. Test every hardware configuration and software configuration you can. Ensure that your systems and software are fully and completely compatible. Don't rely on only specifications. There is a-lot of evolution happening in this segment, and your testing is critical to get it right.