The World of Multi-Credentials: Which System Is Right for Your Customer?

Sept. 30, 2011

As security breaches and hacks are being reported daily, there is a growing awareness of the fallibilities of conventional security technologies and a heightened demand for better methods of access control.

Locksmiths recall the bump key episodes where the claim was set forth that most of the keys and locks protecting us were little more than child’s play to defeat. Then there was the headlines reporting that vehicle transponders could easily be cloned. rendering the majority of automotive security electronic ineffective. While both these claims were exaggerated and distorted, they focused the public’s attention on improving security.

Most recently, a rumor circulated that a readily available electronic device can be used to silently read and duplicate the typical proximity credentials used for electronic access control.

In fact, most credit and debit cards rely on magstripe technology which has been around the longest, and is perhaps the most vulnerable of all credential technology, but is still actively deployed.

No security technologies are perfect, especially those technologies used for non-defense applications. the coming trend is that high technology credential technologies are trickling down from the military into the civilian security marketplace.

Cost Considerations

In cost-driven markets, decisions are made based on factors other than ideology. The majority of electronic access controls systems are installed into non-residential sites such as industrial, educational and municipal, all facing strict budget limitations.

One of our customers, a state university, has been using magstripe photo IDs and there are no plans to change.

Another client, who although technically is part of the state system but has the ability to make its own decisions, recently decided to transition away from magstripe to proximity readers and credentials. This decision was reached for a few reasons. For one, the facility knew that magstripe was not the latest technology. Another factor was they were having recurring problems with the magstripe readers because the contact between the credential and the reader tends to shorten the life of both the credential and the readers. Finally, this school did not have a huge population of credentials distributed. These factors all added up to their move to proximity.

Another client, a library, used a couple of mechanical keypads. Last year we installed 32 cameras for them. So now they are moving up from a single PIN code for all the employees to standalone proximity with audit trail. The video surveillance system actually fortifies the security posture of the premises, and proximity, although not a future proof solution, certainly is a step up and will significantly improve security.

A defense contractor client has been using a combination of technologies for their many doors. But they also have guards and cameras. Although their readers are proximity, their credentials were upgraded to multi-technology as part of the corporate security policy. Other members of the corporate family use FIPS compliant smart cards.

A municipality has adopted a plan where they have deployed traditional proximity credentials but all new access control doors are equipped with multitechnology readers, providing for a timely transition as funds and heightened security requirements develop in the future.

Multitechnology permits enhanced features such has two factor and mutual authentication, and multipurpose credentials which have proven very effective for many end-users

Most security experts agree that two-factor authentication could be a key enabler to help them achieve these goals. Still, many are reluctant to deploy this stronger form of authentication due to cost, complexity and the burden on users to carry yet another item, such as a token or a USB device.

HID on the Desktop

HID Global addresses these concerns by placing building (physical) and network (logical) access control on a card already in use as an identity badge to gain access to an organization’s buildings.

The HID on the Desktop™ solution — comprising access control cards, OMNIKEY® contact and contactless card readers, and naviGO™ management software — provides a cost-effective, user friendly solution for a strong security posture.

HID on the Desktop provides varying levels of risk-appropriate security solutions to suit an organization’s risk tolerance and budget. For instance, card technology ranges from basic two-factor authentication (card and PIN) to a higher level of network security that uses Public Key Infrastructure (PKI) and digital certificates.

Another factor that is forcing security upgrades is the rise in regulatory and compliance requirements.

HID on the Desktop leverages the physical access ID cards that most organizations already have and use on a daily basis.

Organizations are accustomed to provisioning and managing these cards, and users are accustomed to carrying them, facilitating the transition to two-factor authentication on laptops and at the desktop.

Crescendo smart cards are PKI-enabled. Just below Crescendo is iCLASS, a contactless smart card. iCLASS secures the session with encryption and mutual authentication. Finally, users looking for a simpler, yet still strong, two-factor authentication strategy can make use of the widely deployed Prox contactless smart card. All of these options, which fall on a continuum of strong authentication security, are far more secure than username and password.

All HID cards work in conjunction with HID’s OMNIKEY contact or contactless card readers, available in a variety of form factors to suit the needs of nearly any application. naviGO software reads a user’s card and requests his/her PIN. If the user can’t remember that information, he or she is provided an emergency portal that features steps to securely retrieve it via knowledge-based authentication (KBA). This self-service approach eliminates the need for IT to get involved and reduces the cost that can be incurred by password resets in terms of IT time and loss of user productivity.

Organizations can also use HID on the Desktop to set and enforce automated centralized access policies for on-site and remote users. These policies tie into Microsoft’s ActiveDirectory via naviGO so organizations can easily track and audit individual user activity to comply with industry and government mandates.

For more information on HID mult-credential products, visit www.hidglobal.com.

Schlage AptiQ

The threat of proximity credential cloning in an environment where reasonable security management policy is in force is very real. All it takes to clone a card is a very inexpensive device that can be ordered over the Internet. Nobody would know that a cloned card was being used.

With a multi-technology reader being installed at every new door, organizations are able to flexibly plan for the future, using their present proximity cards today and migrating to smart cards when budgets and time allow. They can upgrade on their preferred timelines, not due to the whim of technology that forces a "now or never" alternative.

Smart cards can be used in diverse applications such as access control, cashless vending, meal programs and transit applications because of their ability to read data from and write data to the card. Smart cards also employ advanced security features that make them an ideal candidate for both high security applications and those in which important data or financial information will be transmitted.

AptiQ covers all of the applications in which proximity works plus high security applications, situations requiring data storage, where protection of high value areas or information is needed and in scenarios requiring multiple credential applications.

The aptiQ smart card is designed on an open architecture platform and can be used both in access control systems manufactured by Ingersoll Rand, as well as third party systems.

There are three basic form factors: clamshell cards, ISO Cards, and an adhesive PVC patch. Within those three form factors, Schlage offers the following 12 types:

  • SXF8420 MIFARE DESFire EV1 16k bit Clamshell Card

  • SXF8440 MIFARE DESFire EV1 32k bit Clamshell Card

  • SXF8480 MIFARE DESFire EV1 64k bit Clamshell Card

  • SXF8520 MIFARE DESFire EV1 16k bit ISO Card

  • SXF8520M1 MIFARE DESFire EV1 16k bit ISO Magnetic Stripe Card

  • SXF8540 MIFARE DESFire EV1 32k bit ISO Card

  • SXF8540M1 MIFARE DESFire EV1 32k bit ISO Magnetic Stripe Card

  • SXF8580 MIFARE DESFire EV1 64k bit ISO Card

  • SXF8580M1 MIFARE DESFire EV1 64k bit ISO Magnetic Stripe Card

  • SXF8720 MIFARE DESFire EV1 16k bit PVC Patch

  • SXF8740 MIFARE DESFire EV1 32k bit PVC Patch

  • SXF8780 MIFARE DESFire EV1 64k bit PVC Patch

One must look for the “EV1” designation to assure they have the most secure card.

A Mifare DESFire card is sold already programmed with general purpose software (the DESFire operating system) that offers a simple directory structure with files, similar to what is typically found on smart cards. The maximal read/write distance between the card and reader is 10 cm (4 inches), but actual distance depends on the field power generated by the reader and its antenna size.

Mifare DESFire EV1 is a new evolution of the above-described DESFire card, broadly backwards compatible. It is available with 2KB, 4 KB and 8KB NV-Memory. Other features include:

  • Support for random ID
  • Support for 128-bit AES

In cryptography, the Advanced Encryption Standard (AES) is a symmetric-key encryption standard adopted by the U.S. government. The AES ciphers have been analyzed extensively and are now used worldwide. AES was announced by National Institute of Standards and Technology (NIST) as U.S. FIPS PUB 197 (FIPS 197) on November 26, 2001, after a 5-year standardization process. It became effective as a Federal government standard on May 26, 2002 after approval by the Secretary of Commerce. It is available in many different encryption packages. AES is the first publicly accessible and open cipher approved by the NSA for top secret information.

The AptiQ credential can be read by the smart card readers in the Schlage and XceedID product lines. They can also be read by select multi-technology readers from Schlage and XceedID.   Schlage AD-Series locks that include the smart card reader module or multi-technology module are also capable of reading aptiQ smart cards from Schlage.

There are many industry guidelines relating to non-DHS sector recommended credential/reader selection. For instance, the US DEA recently issued a new rule requiring doctors and pharmacists to use 2-factor authentication when electronically prescribing controlled substances. The most useable combination is a smart card with a biometric. The biometric template would be stored on the card. The government demands that the card have a cryptographic device which the aptiQ smart card has.

The Schlage readers that read aptiQ smart cards also read the government’s PIV cards. Utilizing smart card or multi-technology readers from Schlage would be useful for sites utilizing mixed card types.

Although both PIV cards and aptiQ are ISO 14443 based credentials, they differ in terms of openness, security, and processes for issuance. aptiQ is an open architecture, contactless smart card enabling significant customization and featuring the highest levels of encryption currently available on contactless smart cards.

The PIV card is a credential used by the government.  It has an extra component, a dual interface which lets information be stored and accessed in either contactless or contact environments.

The Schlage AD-Series Wireless Portable Reader can be used for applications such as attendance, event admission, checkpoints, signal testing, mustering and perimeter expansion. Applications are diverse. One example would be for use on a school field trip, a school could use the reader to check in students for each bus.

Industry could use the reader at muster points to verify who has left the plant during a fire or other emergency, thereby confirming an evacuation is complete and there is no need to jeopardize the lives of emergency responders by entering the premises.

It is fully compatible with Schlage AD-Series and PIM400s.

The reader is also field-configurable to work as a Wireless Portable Signal Tester, facilitating the survey more meaningful, and installation of wireless access control systems easier and faster.

LED indicators communicate valid (green) and invalid (red) credential status.

For more information on Schlage aptiQ, visit www.securitytechnologies.ingersollrand.com.

To read additional Locksmith Ledger articles on multi-credential technologies, visit http://tinyurl.com/smartcard0911.

About the Author

Tim O'Leary

Tim O'Leary is a security consultant, trainer and technician who has also been writing articles on all areas of locksmithing & physical security for many years.