Identity-as-a-Service: a new approach for smart-card based security systems
For many years now, smart cards have proved their effectiveness as secure credentials for the IT environment. The chip on a smart card essentially is a microcomputer that is purpose-built to protect the security key that is unique on every card and which never leaves the card in any transaction. When used for IT security, a smart card can authenticate a user to a computer either at the OS level or pre-boot with disk encryption to the network, to applications, to perform email signing and encryption, and for other uses such as digitally signing documents. Increasingly, smart cards are also being used for physical access, providing a much higher degree of security than mere photo badges or proximity cards.
Why is the physical access market also turning to smart cards? Because at least 90% of building access security card implementations are so fraught with basic security flaws that an in-person attack of identity fraud can be executed for under $100 and under 15 minutes of searching online. After that, about 5 seconds each time an imposter wants to impersonate a valid user and walk around where the user is authorized to do so. By using a smart card as an employee ID, the secure element in the card is leveraged to strengthen building security systems as well. Increasingly, organizations are setting their sights on integrated, or converged systems, where one smart card credential is used both for physical access and IT access. The beauty of this approach is that there is only one credential to manage for each user, making it easier and less costly to issue, revoke or renew credentials or levels of authorization should an employee’s status change.