The User Experience
Improving security by implementing tap authentication
- By Tim Phipps
- Aug 01, 2015
With the move to a mobile- and cloud-first world, corporate
data has become increasingly difficult to protect. Employees’
expectations have changed, too—they want to be able
to access corporate cloud applications, data and services
anywhere, at any time, using the device of their choice. This
can make networks significantly more vulnerable to security breaches. Reliance on
passwords, alone, is not enough. When hackers steal an employee’s user name and
password, they can then often move through the network undetected and upload
malware programs to other systems.
Now, with the advent of a security model called “tap” authentication, it is possible
to ensure control access to data with a much more convenient process, using
the same ID card that controls access to a company’s facilities.
With tap authentication, users simply tap their smart cards to laptops, tablets,
phones and other NFC-enabled devices for easy and convenient access to network
resources, cloud apps and web-based services. This quick tap of the card to a device
is much easier and secure than passwords. It is faster and more seamless and
convenient than dedicated hardware one-time passwords (OTPs), display cards or
other physical devices. Perhaps most important for users, it offers the convenience
of being able to access data and cloud-based applications with the same card that
opens doors.
SIZING THE PROBLEM
Today’s threats won’t diminish anytime soon. Nor will the cost of a data breach.
IBM recently announced in its Security Services Cyber Security Intelligence Index
Report that phishing, malware and other cyber threats are now costing organizations
up to 19 percent in revenue and 21 percent in lost productivity, among other
financial hits. Protecting access to corporate data is becoming ever more crucial.
One of the biggest problems is an over-reliance on passwords. Identifying and
validating workforce identities used to be relatively easy and relied on the combination
of a username and a password that users typed in to a PC to authenticate
themselves to the machine and to the network. Workforce computer users had one
password, and that password was used in one place only: at a stationary workstation
in the office or at home. Once the user logged in, they had access to every
application they needed to do their job.
Today, however, the enterprise landscape
is rapidly changing. We now live
in a mobile-first, cloud-first world where
there’s no longer a single device that is
used to access corporate data and services.
On top of this, corporate security
policies have changed, requiring users
to authenticate themselves more often.
For example, employees at the National
Institute of Standards and Technology
(NIST) log-in on average 23 times a day,
leading to password fatigue.
Plus, users now expect instant access
to corporate data and services from
anywhere at any time from their mobile
device. This means that employees
using traditional but weak username
and password-based authentication are
inadvertently opening up their organizations
to a number of sophisticated
cyber threats.
HOW TAP AUTHENTICATION
WORKS
Tap authentication enables authentication
to multiple apps and services
on multiple endpoint devices without
having to recall and re-type additional
codes and passwords. The process requires
only three simple steps. First,
users open a browser on their NFCenabled
device and then type the application
URL they wish to access. Next,
they enter their corporate username
and password. Finally, they tap their
access control card to the back of their
NFC-enabled mobile device or table to
provide the second authentication factor.
The card can be “read” without
needing to be physically inserted into a
reader device.
Besides improving convenience, the
tap authentication model takes advantage
of the existing access control
system to ensure a seamless user experience
that can extend throughout the
physical and IT access control infrastructure.
The result is a single, more
efficient and economical identity and
access management system. By centralizing
identity and access management
in this way, organizations can consolidate
tasks and reduce ongoing operational
costs, and also have the ability
to very flexibly scale and adapt capabilities
while realizing growing value for
the organization.
DEPLOYING TAP AUTHENTICATION
Adding tap authentication—like any
other new access control capability—is
difficult with a legacy physical access
control system (PACS) based on static,
hard-to-upgrade technologies. This is
why so many organizations are moving
to new PACS solutions that are based
on dynamic technologies and therefore
adaptable to changing needs and the
latest best practices as security threats
evolve.
Today’s PACS solutions also offer
the improved security of contactless
high frequency or microprocessorbased
smart card technology. The most
effective of these smart card technologies
uses mutual authentication and
cryptographic protection mechanisms
with secret keys, and a secure messaging
protocol that is delivered on a trust-based communication platform within
a secure ecosystem of interoperable
products. With a solid PACS foundation,
organizations can also support
many different access control applications
on the same smart card—from
access control for the parking lot, main
door, or individual offices, to the new
capability of tapping in and out of
computer applications.
Today’s tap authentication solutions
are cloud-based and don’t require any
on-premises hardware to install or service
contracts to maintain. IT deployment
is a simple process of installing
authentication system software and device
apps, synchronizing users with the
authentication cloud service, and notifying
them when they can begin using
the system. Organizations also have the
option of deploying conventional card
readers in areas where endpoints do not
have built-in NFC readers.
There are other considerations for
most effective deployment. User authentication
is one of five security layers
that every organization should consider.
The other layers include authenticating
the device, protecting the browser,
protecting the application, and finally
authenticating the transaction with
pattern-based intelligence for sensitive
transactions. Implementing these layers
requires an integrated, versatile authentication
platform with real-time threat
detection capabilities. This platform,
combined with an anti-virus solution,
provides the highest possible security
against today’s threats. Organizations
can also consider storing biometrics on
the smart card. With biometrics, users
can reliably authenticate themselves
with the simple touch of a finger, enabling
them to log into multiple applications
while providing an irrefutable
audit trail.
TAPPING IN TO THE FUTURE
Organizations are moving toward converged
solutions that can be used to
secure access to everything from doors
to computers, data, applications, and
cloud-based services. Tap authentication
provides a key ingredient for
achieving this objective, while at the
same time delivering the convenience
and simplicity of the tap experience.
Users have already traded in mechanical
keys for smart cards that open
doors and gates. Now, this same card
can replace dedicated OTP solutions,
within an access control system ecosystem
that will continue to very flexibly
scale and adapt while delivering growing
value to the organization.
The system investments that are
made today can be preserved over time
as organizations grow, evolve, and continually
improve their security capabilities
to combat ever-changing threats to
their facilities, information security,
and information privacy.
This article originally appeared in the August 2015 issue of Security Today.