Bring your own smartphone to achieve access control and computer desktop login

Topic: Trends in self-provided terminals (BYOD); using employee's own mobile devices to control the use of work facilities and equipment, how it will affect information security; without prejudice to the company's security risks or harm to employee privacy Under what are the ways to safely implement such facilities and equipment.

This article refers to the address: http://

Bring Your Own Device (BYOD), which is an enterprise that allows employees to keep their mobile phones when they leave, is becoming increasingly popular. Nowadays, there are more and more smart phone functions. We can not only use our mobile phones to access computers, networks and related information, but also use mobile phones to open doors and enter safe areas. Deploying such network access and access control applications in a self-contained terminal environment requires the configuration of the relevant infrastructure, the right technology, and security assessment and proper planning.

Access control has only recently been added to smartphones. In the simplest application case, to implement mobile access control, you only need to replace the plastic card with the virtual credential card software running on the smartphone, and copy the card-based access control rules. The system still needs to make an access decision between the card reader and the central hardware control panel (or server) that stores the access control rules. In this case, the card reader is still connected to the central access control system.

Today's smartphones also generate One Time Password (OTP) to securely log in to another mobile device or desktop computer and access the network. In addition, a smartphone with a virtual credential can be used to purchase items, such as buying food in a company cafeteria, and to use the printing device safely. Considering that such a rich feature of self-contained smartphones, more and more employees are using their mobile phones to access systems, data and company facilities, IT departments should actively develop relevant solutions to better protect these resources. The mobile access control system needs to meet the requirements of the existing access control system and the traditional plastic access control card smoothly and safely. First, there must be a way to communicate data from a smartphone to an access card reader. This type of data communication can be realized with a mobile phone supporting Near Field Communications (NFC) and/or an additional device supporting NFC. For example, a microSD card is such an additional device, ensuring that a device that does not support NFC can also be secure. upgrade.

Second, there must be an ecosystem of readers, door locks, and other hardware that can read virtual credentials and respond with appropriate actions, such as opening a door lock or allowing access to computers and networks. . Currently, more than 650,000 hotels have installed door locks that can be opened with NFC-enabled smartphones. Similarly, interoperable online access card readers, electromechanical door locks, and card readers that connect to desktop computers or PCs are also being deployed, and third-party vendors are developing NFC-enabled hardware solutions, including biometric devices. Attendance terminal and electric car charging station and so on.

Finally, there must be a way to establish and manage virtual keys and virtual credentials used on smartphones. This not only requires a new way to describe identity information, but also requires that the description of the identity information be carried out within a reliable identity authentication framework so that the self-contained smartphone can be safely used in the access control network. .

This description of identity information must support a variety of encrypted data models related to secure identity information, including biometric data, attendance data, and so on. A reliable identity authentication framework ensures a secure communication channel between authenticated endpoints. The technology used to confirm the security of a self-contained terminal requires the use of a secure component of the handset, which is typically an embedded circuit or a plug-in module, often referred to as a Subscriber Identity Module (SIM).

By establishing an ecosystem of secure and reliable terminals, self-contained smartphones can be effectively managed in the access control system, thus configuring/unconfiguring identity information between the handset, card reader and door lock, and all other information. Processing becomes safe and reliable. The framework, combined with proven smartphone technology, creates an extremely secure mobile authentication environment.

Using this framework, enterprises can publish virtual credentials and virtual keys to these mobile devices, no matter where they are located or how they are connected. One way is through the Internet, similar to the traditional way of purchasing a plastic credential card, but connected to the self-provided terminal via USB or a Wi-Fi-enabled connector. Alternatively, the virtual credential card can be transmitted over the air by a service provider, similar to how today's smartphone users download apps and songs. In order to obtain a virtual credential card over the air, an NFC-enabled smartphone needs to communicate with a Trusted Service Manager (TSM), and then either directly to the mobile network operator or connect to its TSM, such a virtual credential card. You can provide a SIM card to your smartphone. Depending on the company's information security policy, users can share virtual credentials and virtual keys with authorized users through NFC's "tap-n-give" configuration.

The secure mobile configuration model eliminates the traditional risk of plastic cards being copied, and makes it easier to issue temporary credentials, revoke credentials when a voucher is lost or stolen, and, if needed, for example, information security It is also easier to monitor and modify security parameters as the threat level rises. The system administrator can use the management service to cancel the configuration of the virtual credential card in the air or delete the access rights in the access control system database. Enterprises can also set up dynamically, based on context, such as undoing two-factor authentication, and enterprises can even support variable levels of information security and use additional data elements. For example, when the security threat is upgraded, the two-factor authentication can be dynamically cancelled, and an application can be pushed to the mobile phone, the user is required to input a 4-digit PIN code, or a gesture of swiping is required before the mobile phone sends the information to open the door.

With access control and computer desktop login applications turning to self-contained smartphones, there are several issues that need to be addressed. First, to protect personal privacy while protecting the business from the harmful effects of personal applications, all applications and other ID credentials must be restricted to use between individuals and businesses. Another challenge is how to use virtual keys and virtual credentials to achieve other applications, such as having the app support PIN entry to "unlock" the key and complete the verification or sign-off process. In addition, the middleware API must be standardized so that the ID credential card functionality can be applied.

In addition, it may be necessary to support derivative credentials, such as those derived from the US Federal Staff's Personal Identity Verification (PIV) card. This combination of use and derivation of vouchers between businesses and individuals also creates a need for tiered lifecycle management. For example, if mobile devices are lost, all vouchers can be revoked with tiered lifecycle management. Card, and if the personal authentication card is cancelled, the mobile ID credential card used only for the work environment will be automatically cancelled. Perhaps the multidimensional management problem of mobile ID is the most challenging part of the self-provided terminal model.

For access control and computer desktop login functions to coexist on your own smartphone, you need to ensure the security of cloud storage. There are 4 possible ways. The first is to adopt an open access model on the public Internet, in which the username and password are managed by a software-as-a-service (SaaS) provider. Although this method is easy to adopt, the data protection capability provided is the weakest. The second is to use a virtual private network (VPN), and require remote users to verify the virtual private network before entering the user name and password (most likely through a one-time dynamic password solution) . However, virtual private networks are not convenient for users and cannot scale well to accommodate their own devices, because virtual private networks require virtual private network clients and personal applications to be installed on many different devices, and virtual private networks are not targeted. Internet security threats provide additional protection.

The third method is powerful native verification, which is not convenient enough because each application requires a unique, unique security solution. The fourth and best method is federated identity management, in which users authenticate against a central portal to access multiple applications. This approach supports many different authentication methods, does not require anything to be installed on the end user's device, and provides audit records for any of the accessed applications, thus meeting regulatory compliance requirements. This approach can also withstand internal security threats such as Advanced Persistent Threats (APTs), specialized hacking attacks, malicious behavior of former employees, and employee fraud. Federated identity management also applies to internal applications stored elsewhere, giving users easy access to a variety of applications in one place. However, no matter which method is chosen, there may be other policies and adoption problems that need to be resolved for the enterprise side and the owner of the self-provided terminal. Businesses want their own terminal owners to give up certain rights so that they can open and log in to their desktops with their own mobile phones, and their own terminal owners don't want to use certain features because they are afraid of revealing privacy.

Self-provided terminals have a number of advantages, especially the employee's smart phone can become a carrier, hosting a growing number of access control and computer desktop login keys and credential cards in the enterprise. The upcoming next-generation mobile access control solution will provide greater convenience and management flexibility while ensuring connectivity between smartphones, computers and network resources, access control systems, and infrastructure for delivering identity information in the cloud and over the air. Process data safely.