Subscribe via E-mail

Your email:

Most Popular Posts

Latest Posts

Posts by category

Current Articles | RSS Feed RSS Feed

Who's Got Your Number?

Posted on Thu, Aug 26, 2010 @ 12:39 PM
  
  
  
  

It has long been one of the family secrets of the security industry that the standard proximity cards issued to our customers for years aren’t very secure.  The standard 26-bit format, for example, has only 16 bits reserved for a “unique” identifier, which means that if every American had to share this address space, your “personal” card would also belong to roughly 4,729 other people.  Makes you feel special, no?

Sure, there have been some advances—larger address spaces, “proprietary” formats, and so forth.  But on the whole, the landscape didn’t change much until the introduction of smart cards and biometrics.  With both of these technologies, there is now the option to have a completely unique and secure digital identifier that you alone can use for access to both physical and logical resources.  No more sharing, no more duplication—and no one either claiming to be you, or, conversely, denying their own identity when they’ve tried to do something they shouldn’t.

The federal government currently leads the definition, use, and deployment of these types of credentials, most notably in the form of PIV, TWIC, and CAC cards.  If you want to learn more about this, there’s a great resource at http://www.idmanagement.gov.  At Brivo we’re happy to support the use of these secure identity techniques, as we recently announced here.

These technologies for unique identification also enable commercial enterprises greater control over their own employees and assets.  We’ve recently helped a large retailer deploy a wide-area biometric solution that helps them control access to high-value goods.  Biometrics were essential to the solution because cards and PIN codes are famously shared among employees, and they provide no capability for non-repudiation.

Despite these advances, the security industry is famous for its inertia and resistance to change. While many better technologies have been available for some time now, customers are often not informed about them, and are instead offered insecure alternatives because their provider can save a few cents on a card or a few bucks on a reader. Not very customer-focused.

But here’s my prediction.  This situation won’t persist. Over the course of the next three to five years, the industry will sort itself out between the haves and the have-nots along the lines of incorporating secure identities into their product offerings.  During that period, customers will become better educated—particularly those buyers approaching security from the IT side—and they won’t settle for a solution where someone else has “got their number”.

- Steve Van Till

Tags: , , ,

Comments

There are a few points and assumptions here that need comment. 
 
The post implies that the 16-bit [card] number was intended to uniquely identify an individual. This is not accurate. The intent was to uniquely identify individuals within the space of a single facility. I do not know of a single site using 26-bit cards which would completely ignore the 8 bits of facility code. If they did, they would have human security issues that no technology itself would be able to solve. 
 
The relative uniqueness of a credential aside, it is correct that without some sort of biometric challenge, one can always share credentials and other challenge mechanisms. That said, I think it wildly optimistic to think that five years in the future this will all be worked out. 
 
No single biometric is appropriate for all use-cases, and this will slow adoption. Fingerprints are unsuited for cold environments when people wear gloves while working (airports, warehouses). Eye-scans aren't well suited for biomedical, clean-room, and environments that require protective glasses. Also consider that sites often suppress credential challenges during regular business hours. 
 
My prediction? The 26-bit card, and its brethren, will take a lot longer to phase out than people suspect. We in the industry should strive to provide products to meet demand, but not be surprised how long old technologies last. There is a lot of old hardware out there that's not going anywhere.
Posted @ Thursday, August 26, 2010 1:45 PM by Juan Camión
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics