Two-factor authentication (2FA) exists to increase the certainty that the person requesting access is actually whom they claim to be. You use it every day as you log on to your computer, fill your gas tank, get cash from an ATM, order from Amazon and, increasingly, enter a secure area.
This article will explore the differences between two-factor and two-step authentication, when your customer requires 2FA and what options are available for your customer’s access control applications.
Authentication factors are independent categories to certify that the person is whom they claim to be. These authentication factors can be:
- Something you know, such as a PIN, password or phrase.
- Something you have, such as a card, fob, key, mobile phone or token.
- Something you are, such as a fingerprint, face, iris, voice or DNA. This also can include an activity, such as your gait or handwriting.
2FA uses two different methods, whereas multifactor authentication uses two or all three types.
Two-step authentication is where the same factor or method is used a second time. For example, after you enter your name and password, a bank might send you a one-time code to enter. This is simply two steps of the same process of entering something known.
Immediately after the introduction of any technology, criminals search for a way to borrow, steal or clone the credential, or password, or to replicate the image or data, which makes 2FA all the more important.
You have to know your zip code with your card to get gas and a PIN with your card at the ATM. You probably have at least 50 passwords for various online transactions. Of course, we’re supposed to change them every month, and each site has its own crazy rules on how it must be done. This gets so complicated that 85 percent of us have abandoned some online transaction. This time-consuming complexity is what the industry calls “friction.” Your customers always want to avoid adding unnecessary friction to their access control process.
We’ve recently seen voiceprints used as a second factor for telephone transactions. This has the potential to reduce the cumbersome question-and-answer process. Voice print is a good 2FA telephone process but not practical for access control applications.
Help is on the way. Fast id Online (FIDO) is an IT industry effort to develop faster and more-functional log-on processes. The access control industry has used the card-plus-keypad process effectively for years. Several biometric-plus-keypad products are being introduced as well. A fingerprint card provides inherent 2FA, because its use requires two separate factors. Adding a keypad on the access terminal yields a complete three-factor authentication process with something you have, something known and a unique personal characteristic.
Two-factor authentication generally has been used where higher levels of security are demanded. These include areas where hazardous materials or explosives are processed or stored, and where research or high-value data or goods are kept. However, 2FA now is being considered for a much broader range of facilities and applications. Data processing or storage, critical infrastructure and drug-storage areas are becoming 2FA prospects.
Because many of your customers might be considering a second authentication factor, you can serve as a knowledgeable, trusted business partner. Your client will want the solution to be cost-effective for their application and to work as reliably and simply as possible.
Be sensitive to the client’s environment. Some prefer a simple, industrial look, such as the more basic Alarm Lock, BEST Wi-Q or Corbin Russwin and SARGENT commercial products. Some want to display a slick, high-tech profile, as with products such as Bioconnect, Invixium, Sekureid or HID biometric 2FA readers.
Something You Know
We’ve seen the disastrous results of the password debacle. Long and complex passwords work well but are impossible to remember and require frequent changes. We also have to have a different one for every site. Something known can be secure, but storing it anyplace other than in your head almost guarantees that it will be stolen.
The earliest knowledge-based devices were the original Sargent & Greenleaf Cypher-Lock that was used in Department of Defense applications and the still-popular Simplex keypads. (Read more at www.locksmithledger.com/12394679.)
For years, the Hirsch keypad has been regarded highly in high-security applications. The narrow viewing angle and scrambled PIN codes are nearly impossible for prying eyes to see. Thousands of these Hirsch keypads are in use at high-security locations, and they often are upgraded with a card or biometric second factor. PINs are combined in a number of applications with various credential and or biometric methods to provide effective 2FA.
Something You Have
Card technology has gone through significant improvements in data retention, transmission speed and security. Extensive encryption of onboard information, the communication process and the reader itself can be secure, as long as the person who presents the card is the authorized user. Of course, that’s where 2FA is important.
HID has been at the forefront of North American card technology with its line of iCLASS cards and Trusted Identity Platforms. Many readers now accept multiple card technologies, which allows organizations to migrate from mag stripes or 125-kilohertz prox to 13.56-megahertz platforms. The European Legic and DESFire technologies are popular high-security options as well.
You also could use a key, fob, token or mobile phone as a credential. Tokens, cards or mobile credentials can become complete 2FA devices when biometric elements are included. In many parts of the world, passports, bank and access cards, as well as other documents, are adding a fingerprint reader on the card. Near Field Communication versions harvest power from the reader, while Bluetooth Low Energy versions contain onboard battery power. Expect to see extensive deployment in the Americas in the near future.
Mobile credentials might be emerging as the dominant 2FA in the access control market. Current estimates indicate that 3.5 billion smartphones are in use today. Access control apps can run in “background mode” for quick access when on-site, with a second factor entered at specific doors where higher security is required. PINs are universally available on smartphones, which increasingly provide fingerprint or facial-recognition biometric options as well.
Who You Are
Biometric characteristics appear to be the ultimate identifying factor. Fingerprint devices, such as HID’s multispectrum Lumidigm fingerprint technology, provide extreme reliability, particularly in harsh environments. Invixium and HID provide these fingerprint devices with cards as a second factor. Typical is the Sekureid Xenio system, which has multispectral imaging as well as HID’s iCLASS plus MIFARE and DESFire cards. We likely will see 2FA integrated into other biometric technologies, such as iris scans, in the near future.
Facial recognition has been getting some bad press, but great strides are being made. Much of the criticism has a slim thread of validity, but most is media hype. Folks doing bad things never want to be identified.
Bioconnect has two readers that allow for facial recognition along with mobile or card credentials for two-factor authentication. However, we likely will see more high-quality facial-recognition and fingerprint technologies on mobile credentials in the near future.
So, how secure is biometric data? Because your stored information is simply data, someone always will look for ways to steal it, whether it be your Social Security number, password, photo or fingerprint. Many (maybe most) of the electronic attacks you see on TV or movies have been demonstrated in lab environments but tend to be extremely impractical. The real action always has been to hack your password to get into a server and steal records.
A lot of smart people have worked on ways to encrypt the data on your credential, the transmission process and the reader. Also, a lot of effort has gone into defending chips against “side attacks,” where data is harvested from nearby “snoopy” sensors. The emerging crop of credentials can be secure.
Many of the products available from your wholesale distributors are offered with 2FA options. Most of these will be card plus keypad. Adams Rite, Alarm Lock, Allegion, BEST, Corbin Russwin, dormakaba and SARGENT build 2FA Grade 1 lock products.
A 2FA cabinet lock also is available from FJM, and the BEST Switch Core is available to the locksmith trade.
You will want to verify that a card option includes the technology your client uses. Verify that it will work. In one case, I sent a card sample to the reader manufacturer, asking it to verify that the card was compatible as claimed. It wasn’t.
Even the simplest of 2FA technology adds a great deal of security to your client’s access control portal.
Cameron Sharpe, CPP, worked 30 years in the commercial lock and electronic access industry. [email protected]