Is password security identification really safe?

Faced with the increasingly severe challenges of cloud, private data and facility security. Currently, establishing a common authentication solution is the most ideal way: a) support integrated security access to buildings, networks, and cloud services and resources; b) support mobile keys that can be easily and securely accessed via a smartphone or tablet ;c) Provide multi-factor authentication for the most effective threat protection; d) Interoperate with laptops, tablets and mobile phones that support Near Field Communication (NFC) for optimal security and user experience. A common authentication solution secures IT and physical infrastructure while being part of an integrated solution that interoperates with traditional and NFC devices, with a variety of best practices to meet these requirements.

IT security best practices

The most important and best practice is to abandon the authentication of pure passwords, and the combination of passwords and multiple security methods. Enterprises usually pay attention to the security around the network, and rely on static passwords inside the firewall to verify the identity of the user. With the diversification of threats, such as advanced persistent threats (APT), mobile ad hoc hacking, and internal risks from using their own devices, the traditional approach is clearly inadequate. Static passwords are endless, so companies should extend enhanced authentication to personal applications and servers as well as cloud systems.

Multiple security methods should include multi-factor authentication, device authentication, browser protection, and transaction authentication. The approach uses an integrated universal authentication platform and real-time threat detection. Threat detection technology has been used in online banking and e-commerce for some time, and the technology is expected to be transferred to enterprises as an additional security measure for remote access applications such as VPNs or virtual desktops.

Two-factor authentication measures were previously limited to dynamic password (OTP) keys, display cards, and other physical devices, but are currently being replaced by "software keys" and browser keys that are stored on phones, tablets. Organizations can use a user's smartphone to replace a dedicated security key and popularize a second authentication factor ("ownership") for convenience. The mobile app generates OTP or sends the OTP to the phone via SMS. To achieve greater security, the authentication credential card is stored on a secure element of the mobile device or on a Subscriber Identity Module (SIM) chip. Mobile keys can also be combined with cloud application single sign-on capabilities to combine traditional two-factor authentication with simplified access to multiple cloud applications on a single device.

As identity management moves to the cloud, other key factors need to be considered. At present, the discussion about security of this model focuses on securing the platform, but as the enterprise moves the application to the cloud and makes full use of the software-as-a-service (SaaS) model, the user identity is configured and revoked in multiple cloud applications. It is important to address these challenges while ensuring a secure, smooth user login. In addition, the industry needs to define best practices for managing and supporting a large number of personal handsets in a Bring Your Own Device (BYOD) environment. Authentication from personal devices to corporate networks or cloud applications will be a key requirement. While protecting corporate data and resources, it is also critical to ensure the privacy of BYOD users.

Best practices for access control security

Security best practices for access control systems include contactless smart card technology using two-factor authentication and key protection mechanisms; smart cards are based on open standards and can use secure messaging protocols on trusted communication platforms within the security ecosystem, with A wide range of products are interoperable. Smart cards have a universal, standard card edge that improves adaptability and interoperability, ensuring that they can be used on NFC smartphones, allowing users to rotate smart cards or mobile devices in access control.

Keeping the access control system "advanced with the times" is very important for a number of reasons. Organizations may need to add new applications in the future, such as biometric templates; consolidation, mergers or acquisitions require rebranding in a short period of time and new credential cards when reorganized; meeting new security needs to reduce losses, especially when existing systems When it is easy to clone a low frequency solution, it may be necessary to improve risk management. In addition, new legislative or regulatory requirements may require increased security. On the other hand, integrating multiple applications into one solution offers many advantages, providing organizations with centralized management and convenience for employees to open, log in, and use without having to carry multiple cards. Attendance and secure print management systems, payment for meals or transportation, execution of non-cash transactions and other applications. This integration enables multi-factor authentication across key systems and applications across the IT infrastructure, not just peripheral verification, thus increasing security. In addition, integration enables organizations to leverage existing voucher investments to seamlessly add computer desktop logins for network logins and establish fully interoperable multiple security solutions across corporate networks, systems and facilities.

The integration of access control and network login is especially important in federal agencies. The 2005 Federal Information Processing Standards Publication 201 (FIPS 201) defines the requirements for standardized personal authentication (PIV) smart credential cards, which use smart cards and biometrics for desktop and access control systems to enhance authentication. So far, FIPS 201 multi-factor authentication is mainly used for PC desktop login and digital document signature using PKI authentication, but these functions are also very effective for access control PKI, and it is expected to be widely adopted in the future, becoming the best practice of federated authentication. PIV cards (which may include multi-factor authentication for computer desktop login and physical access) are expected to be ported to NFC phones. Currently, upgrading the PACS infrastructure to support PIV cards requires only upgrading the card reader and using the authentication module (including all access control PKI authentication features) to enhance the functionality of existing panels and door controllers. Inserting these modules between the card reader and the existing PACS panel eliminates the need to "remove and replace" the existing controller infrastructure as before.

In addition, the same PKI verification function can be provided in a commercial location. In the years following the appearance of the PIV card, two types of credential cards were defined - PIV-interoperable (PIV-I) for government contractors and Commercial Identity Verification (CIV) cards for commercial use. The latter is a commercial version of PIV-I and can take advantage of federal government PIV project-defined standards to bring reliable open smart card technology to organizations outside federal agencies.

Mobile

Integrating physical access and computer desktop logins into NFC phones is also one of the best practices—users rarely lose or forget the device. By providing a convenient solution, users can enter the building, log in to the network, access applications and systems, and access the secure network remotely without having to carry a separate card, OTP key or key fob. In addition, the cloud identity configuration model of Mobile Access Control prevents voucher card replication, making it easier to issue temporary voucher cards, log out lost or stolen voucher cards, and monitor and modify security parameters as needed.

Despite the many advantages of mobile access control, this technology is unlikely to completely replace physical smart cards in the next few years. Instead, the NFC phone will coexist with the badge and badge so that the organization can implement smart cards, mobile devices, or a mixture of both within the physical access control system. It is important to establish an upgrade path for this hybrid access control environment to ensure that current technology investments are also available in the future. Upgrading to new features requires a scalable and adaptable multi-technology smart card and reader platform that enables legacy credentials and new credential technology to be integrated into the same card while supporting the NFC mobile platform.

At the same time, organizations must also optimize the secure distribution of traditional cards. This includes integrating key visualization and logic technologies for multiple verifications, as well as further improving security through the use of multiple hypervisors, while also increasing the efficiency of the distribution system. Most ID card issuance systems rely on two-dimensional authentication to compare personally provided credentials with identity data displayed on the card (such as photo IDs), as well as more complex elements such as high-resolution images, or permanent personalization of laser etching. Features, which make forgery and tampering simply do not work. Smart card chips, magnetic strips and other digital departments have become the third security dimension, and the expansion of card data capacity can include biometric information and other information, further enhancing verification. A networked intelligent card-making system can handle all the necessary tasks in one step. Another effective best practice is to integrate the card reader/encoder into the card printer hardware, enabling organizations to take advantage of smart card applications in the future. .

Physical access and computer desktop logins, as well as best practices for integrating both functions into a single solution, require the use of open standards-based smart card technology, which supports many applications and can be ported to NFC phones. By establishing this foundation and planning to upgrade to new features in advance, organizations can choose to use two types of credential card technology within their physical access control systems. Organizations can also be continually adapted to meet new needs, so they will be able to protect their investments in existing infrastructure.