5.17.19 -SSI – David Smith
Contactless smart cards can offer an efficient, sophisticated, secure and cost-effective solution to the identity management and access control problem.
Smart card technology allows a user to carry specific computing power in their wallet. A smart card is a small plastic card with an embedded computer chip. The built-in chip can either be a microprocessor with internal memory or a memory chip with non-programmable logic. They can be customized and programmed for receiving, storing, processing and transmitting data.
A contactless smart card is a variation of smart cards. It contains a chip and radio frequency identification (RFID) antenna (copper or aluminum) attached to the chip for reading and writing information from the chip’s memory.
To complete any transaction, contactless cards do not have to be swiped or inserted into a smart card reader. Instead, they only need to be waved over within range of the electromagnetic field of the reader to read and store information in the chip.
ISO/IEC 14443 defines the standard for contactless smart card communications. It allows for communications at distances up to 10 cm (3.9 feet). The range of operation of the contactless smart card can typically vary from 63.5 mm to 99.06 mm (2.5 feet to 3.9 feet) depending on the range of the reader.
Contactless smart cards have a wide-range of applications in payments solutions, identity management solutions, transport and ticketing, among others. Below we’ll concentrate on smart card applications in enterprise access control and identity management solutions.
Physical Access Control is the process of identifying employees or other personnel when they physically enter the premises. Smart ID cards are being increasingly used by businesses, government and educational institutions to restrict physical access to their offices or different zones within a office/campus. Security professionals can implement sophisticated organization level security policies using smart cards.
Logical Access Control refers to the process of identifying a user on the network and providing access to the networked resources used by the organization. Employees use wired and wireless networks to access resources such as printers, scanners and other equipment. A simple password-based authentication may not be enough to provide the required levels of security. Smart cards can be used in combination with other authentication methods to provide multi-factor authentication and strengthen the logical access security.
A single ID card can be used to provide both physical access to the premise and support logical access to various applications and network resources thereby reducing cost and increasing end-user convenience.
The process of implementing access control solutions using contactless smart cards across an organization is not simple. There are multiple factors that need to be considered to ensure that an enterprise-wide solution can be deployed seamlessly and effectively.
Policy makers need to decide level of personalization required for each card. Many organizations print the user’s photo and designation on the smart card. But personalizing smart cards increases the complexity of card life-cycle management systems.
The life cycle for a card would start from the moment the user becomes a part of the organization and is given a new card and ends when he leaves the organization and returns the card. Policies should be implemented in the access control systems to prevent card misuse and manage the overall life cycle of a user + card.
For large enterprises with multiple branches, compatible card readers should be physically installed at all locations and a distributed access control system should be in place to ensure that employees based in one physical location may or may not access specific resources at other locations.
The access control and card management solution may also be used to track users in/out time and intermediate activities on the network. Attendance and leave management and payroll calculation solutions may interface with the access control solution to determine the employee work hours. Since employees may tap-in and tap-out multiple times during the day, determining the most relevant in and out time for the day is a challenge for many organizations.
Contactless smart cards can offer an efficient, sophisticated, secure and cost-effective solution to the identity management and access control problem. An initial investment is required to get everyone in the organization on board, set up relevant policies and procedures and identify or build a solution that satisfies all the security needs of the organization.
However once implemented, it is convenient and time-saving reducing the time spent by gate-keepers, and/or receptionists who are responsible for ensuring the physical access control as well as network administrators who are responsible for logical access control in the organization.
David Smith is an independent consultant in a number of information security and smart card-related projects and systems involving smart card technology and digital payment. Email him at firstname.lastname@example.org.