- Healthcare organizations using access badges to secure physical access to (all or part of) their premises increasingly ask for the ability to use the same badges for access to their network and applications. Usually, it’s the IT department expressing this desire, looking as they are for a solution to the many and complex passwords that end users have to remember. Of course, as many realize, it is possible to fulfill this wish using single sign-on (SSO) solution in combination with authentication management.
There are two ways of combining physical and logical access: Using SSO or with certificates and/or public key infrastructure (PKI). PKI is not contactless, making it an expensive solution. When organizations want to send encrypted emails or implement encrypted access, some recommend a PKI structure. They are then dependent on a contact-based crypto chip, but most organizations want to achieve quick and easy logins for their end users.
With SSO solutions connected to an access badge, all combinations of user names and passwords are replaced. Users can present a badge to a reader and optionally enter a PIN code, and are then logged in to Windows automatically.
The SSO solution takes care of all the subsequent login procedures automatically so that users can open all their applications immediately. When they remove their badge or present it to the reader again, they will be logged out. This is a solid means of authentication, as it is based on something that the user owns (the badge) and something the user knows (a PIN code). This is also known as two-factor authentication.
Physical access badges also are suitable for providing network access. Virtually all badges currently available in the market provide support for combining logical access and SSO. Badges also can be used for “follow me” printing (more on “follow me” below).
In many instances, however, to avoid having to log in and out of applications all the time, some employees resort to all sorts of workarounds; for example, sharing the same account. With access cards, however, users can log in by swiping their badge across a reader then they can even have their open sessions follow them to another PC. Presenting the badge to the reader for that machine gives them access to the applications they previously opened, within just a few seconds.
Link with the HRMS system
From a security perspective, it’s not desirable that employees can link any badge to the system so as to log in to their workstation. SSO can offer a link to the Human Resources Management System (HRMS), so that it can be checked whether the badge a user wants to link has been registered in the badge system and is valid and not flagged as lost. Similarly, access badges can be deactivated quickly when an employee’s contract is terminated.
If new users enter the organization, a badge is assigned automatically. Users are matched against Windows Active Directory automatically meaning they can only gain access to the municipality’s buildings if they are listed as “active” users in the organization’s employee log. Links with the HRMS system or Active Directory can be created with provisioning software.
Information on the physical presence or absence of staff members can also be processed in real time in the organization’s online phone directory. Since the security management system knows employees have entered the building using their pass, it can synchronize this information with a system feeding an Intranet.
Where there are escalations, organizations may want to block or unblock an access badge immediately. With a special portal they can delegate certain tasks to employees (usually security staff) who have no access to the HRMS system or service management system. Besides blocking and unblocking badges, it is possible to register a new employee, change a password or issue a temporary badge if the original badge is lost. In this case, the existing PIN code will remain active. This delivers additional security, as the helpdesk does not know or get to see the PIN code and the end user also will only be able to use the temporary badge.
“Follow me” feature
SSO technology is developing at a lightning pace. One of the latest innovations is the “follow me” feature that can be used by organizations with a Virtual Desktop Infrastructure (VDI), e.g. a combination between VMware View 4.5 and Citrix XenApp.
One of the advantages of VDI is that sessions can easily follow the user from one desktop to the next. But this process is delayed because users have to enter their username and password and perform various actions to connect to their desktop. This is far from efficient in organizations where end users switch desktops multiple times a day, especially in healthcare.
The “follow me” feature makes it possible to resume work in the applications opened on the previous machine. All users need to do is hold their badge against a reader and they will be connected to the opened session automatically within just eight seconds.
Using a smartphone as a means of authentication is a logical step as end users almost always carry their mobile devices. Two-factor authentication with a smartphone is a sound alternative to the more expensive token solutions, since no costly additional hardware is required.
Using identity and access management software, the unique ID of the end user’s smartphone can be linked to the login process. When the end user logs in to the company network internally or remotely, the following takes place. The user enters his or her username and PIN code in the login screen. The login system will ask the smartphone for confirmation. A pop-up will be displayed on the user’s smartphone, prompting them for a confirmation of the login. After the user has confirmed, the login process is resumed and the user is successfully logged in.
Since smartphones offer multiple authentication capabilities, in the future there will be lots more possibilities for implementing strong authentication using smartphones, such as geolocation and voice recognition.
Dean Wiech is managing director at Tools4ever. Tools4ever supplies a variety of software products and integrated consultancy services involving identity management, such as user provisioning, role-based access control, password management, single sign-on and access management, serving more than five million user accounts worldwide.