Security Sales & Integration

September2013

SSI serves security installing contractors providing systems and services; surveillance, access control, biometrics, fire alarm and home control/automation. Coverage in commercial and residential product applications, designs, techniques, operations.

Issue link: https://securitysales.epubxp.com/i/166764

Contents of this Issue

Navigation

Page 132 of 175

PHOTO: ©ISTOCKPHOTO.COM come a necessity and is now generally being adopted. Twofactor authentication is the combination of two out of the three possible methods (something you know, something you have and something you are). One basic example is ATM access that requires a card (something you have) and a PIN (something you know). Within the health-care provider setting, the two authentication factors most commonly used to secure data are the proximity card that the clinician already uses to access the facility and a PIN or password. To logon, all the clinician needs to do is tap a card and type a PIN. Te problems mentioned above seem to be solved: the reliance on a username/password pair is diminished, information is accessible, workfow is enhanced and a record is created that links the authentication request to the access of the data. But what sacrifces have been made to make access to data this simple? Has security been sacrifced to ensure rapid clinician adoption? Unfortunately, using a prox card plus a password is not as secure as people may hope. WHY PROX CARDS CAN BE PROBLEMATIC Authentication with an RFID proximity card and a password is better than a username and password, but it is far from secure. Prox cards have been in use for 30+ years for physical access control and are now used to authenticate to networks and single sign-on systems. Tat technology was simply extended for the new use case. But is it really the best choice for logical access control in health-care settings? Proximity cards use a static number (known as a card serial number, or CSN) sent over the air, unencrypted, to a reader. Tis number is correlated to a user's identity. In other words, the static CSN acts as a username and, with the password or PIN, the two are used to unlock a user's desktop or single sign-on session. In combination with a static CSN, newer RFID contactless cards ofer the capability to write and store data on a card, encrypt data at rest and in transit, and secureSEPTEMBER 2013 / SECURITYSALES.COM / 129

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Sales & Integration - September2013