HID’s 2014 security predictions
29 January, 2014
category: Biometrics, Corporate, Digital ID, NFC, Smart Cards
HID Global released its projections for trends that will have the greatest impact on the secure identity industry in 2014. The predictions encompass a range of solutions and technologies, including anticipated advances in physical and logical access control, secure issuance, identity assurance, visitor management, electronic ID (eID) and secure asset tracking.
Selva Selvaratnam, CTO at HID Global, anticipates a decline in the use of passwords for securing resources as organizations extend strong authentication across their IT infrastructure and out to the door. This can also accelerate the convergence of physical and logical access control that will drive a more seamless user experience when securing doors, data and the cloud.
Selvaratnam predicts:
The industry is moving beyond static, proprietary access control architectures to secure, open and adaptable solutions that support customers’ desire for new products and technologies that enable their business.
As the security landscape evolves in new ways, progressive organizations and thought leaders are adopting a new attitude about change. Proactively making changes will ensure that an organization’s access control solution can adapt to future threats and take advantage of opportunities and applications beyond access control. Future high-value applications might range from cashless vending, time and attendance, and secure print management to secure network logon as part of a fully interoperable, multi-layered security solution across company systems and facilities.
Integrating physical access control with IT security will bring new benefits while changing how organizations operate.
Historically, physical and logical access control functions were mutually exclusive within an organization, and different groups managed each. Now the lines between these groups are beginning to blur and organizations want to provision physical access control system and IT identities on a single card — or smart phone. Users will also soon be able to carry many types of access control credentials as well as one-time password (OTP) tokens on a single microprocessor-based smart card or smartphone.
Strong authentication will continue to grow in importance in the face of a changing IT security environment – and will also move to the door.
The industry is moving beyond simple passwords to additional authentication factors including something the user has — such as a mobile or web token — and something the user is, such as biometrics or behavior-metrics. While the industry is replacing hardware OTPs with software tokens that can be held on such user devices as mobile phones, tablets and browser-based tokens, there are security vulnerabilities with this approach.
A far more secure strong authentication alternative is multi-application credentials that can be carried on smart cards or smart phones. Users will simply take the same card, or phone, they use for building access and tap it to a personal tablet or laptop for authenticating to IT resources. There will also be increased adoption of other authentication factors including biometrics as well as gesture technology.
Strong authentication will increasingly be implemented using a multi-layered strategy.
Today’s strong authentication solutions will be used to secure everything from the door, to data, to the cloud. They will deliver multifactor authentication capabilities for the most effective threat protection, as part of a multi-layered security strategy. In addition to multi-factor user authentication as the first layer of security, both inside the firewall and in the cloud, there are four other layers to implement, including authenticating the device, the channel, the transaction and the application.
Effectively implementing these five security layers requires an integrated and versatile authentication platform with real-time threat detection capabilities. Used in online banking and ecommerce for some time, threat detection technology is expected to cross over into the corporate sector as a way to provide an additional layer of security for remote access use cases such as VPNs or Virtual Desktops, and in the healthcare space, for online records access.
Mobile access control will continue to roll out in stages.
During 2014, we expect to see the first phases of mobile access deployments in which smart phones will function similar to that of a card transaction, with limitations due to technology and business ecosystems. In subsequent phases the phone’s on-board computing power and multimedia capabilities will be leveraged overcome limitations and provide a more functional and rich user transaction and experience.
Looking forward further, the connectivity of smart phones will be used to perform most tasks that today are jointly executed by card readers and servers or panels in traditional access control systems. This includes verifying identity with rules such as whether the access request is within a permitted time and, using the phone’s GPS capability, whether the person is actually in the vicinity of the door. The user can then be validated using a cloud application and granted access via a trusted message over secure communication to the door.