3 minute read
Authentication – a critical part of any security solution
ACCESS CONTROL Authentication – a critical part of any security solution
Authentication plays a vital role in keeping areas secure and protected from unauthorised people. Steve Bell, Chief Technology Officer at Gallagher, discusses the latest authentication technology, and explores the hackers’ mindset.
Access control combines authentication with the concepts of identity and authorisation to allow or deny people access to controlled areas. Identity is the claim someone makes about who they are. Authentication verifies this claim, and authorisation is the process that happens in the back-end of the system to determine that person is authorised to access that area and grant access.
As explained by Andrew Scothern, Chief Software Architect at Gallagher, there are different types of authentication that can be used to prove identity: • Something I have – usually a physical token, such as an access card. • Something I know – something non-physical; a secret that only you know about, such as a PIN or password. • Something I am – a biometric, such as a fingerprint, iris, or facial
ID.
In access control, there are different levels of authentication for opening doors. Single-factor authentication utilises ‘something I have’, requiring an access card to be presented at a reader in order to gain access to that area. Two-factor authentication requires an access card plus ‘something I know’ or ‘something I am’ as an additional level of security.
According to Adam Boileau from Insomnia, attackers will look for the easiest way into a system with the least chance of getting caught. Singlefactor authentication could provide the means for bad actors to impersonate a legitimate person using a misplaced or stolen card to gain access. Multi-factor authentication instantly decreases the chances of this, as it requires an additional level of knowledge or a biometric. It also increases the odds of getting caught in the process as system operators may be alerted to incorrect PIN attempts, for example.
Andrew recommends organisations learn about the end-to-end provisioning of their credentials in order to better understand the security they offer. Understanding how the credentials are issued, where the authentication takes place, what information is stored in the back-end of the system, and what protections are placed around the data, can help organisations make informed decisions to keep themselves secure.
Utilising public/private keys is one way to ensure information is secured. Nok Nok Labs’ Rolf Lindemann’s opinion is that passwords are broken, in part because they get stored in some form, usually on a server. If an attacker were to gain access to that server, they could retrieve the passwords and use them for malicious purposes. The same applies for access control authentication. Public/private keys ensure only public information is stored on a server, with the private key remaining safely in the user’s possession.
Likewise, cardholders should be encouraged to protect their access credentials and ensure PINs and passwords remain secret, which includes not reusing a PIN or password across different systems – particularly between high security systems and those that are less secure.
A recent cyber report released by Cert NZ identified a 25 percent increase in phishing and credential harvesting in the second quarter of 2020. One small but vital thing organisations can do to protect themselves from these kinds of attack is ensure their software is always kept up to date. Publicly known vulnerabilities for outdated software leave your systems open to exploitation.
Tune into Gallagher’s new Security in Focus podcast on iTunes, Spotify, or visit security.gallagher.com/securityin-focus.
