Using FIDO authentication to secure mobile PACS
Gallagher CTO Steve Bell says decision driven by customer CIO needs
04 January, 2017
category: Biometrics, Contactless, Corporate, Digital ID, Government
Several weeks ago Gallagher unveiled its Mobile Connect product that enables smart phones to serve as secure credentials for physical access control systems. The product uses a handset’s Bluetooth capability for communication between phone and reader and notably takes advantage of the FIDO authentication standard to enable biometric multi-factor security.
SecureIDNews spoke with Steve Bell, Chief Technology Officer for Security at Gallagher, about the new product and the decision to pursue FIDO in the PACS offering.
SecureIDNews: What led to the decision to build FIDO authentication into your new mobile physical access control (PACS) offering?
Steve Bell: One of the trends that Gallagher has seen grow over the last two years is our enterprise customers taking cyber security much more seriously. They are no longer happy to trust that we are doing the right things — corporate policy is requiring them to verify that our system meets the standards and many of these enterprises are submitting our system to penetration testing. So we quickly discounted developing our own credential on the phone in favour of an open standard credential to ensure acceptance by the enterprise security teams.
SecureIDNews: So why was FIDO selected over other options that are out there?
Steve Bell: We considered a PIV style credential as well as Opacity which is now included in the FIPS201 standard. FIDO authenticators won the contest as it has so many great features including:
- Cryptographic strength of the authenticator is equal to PIV without the heavy infrastructure;
- We wanted to offer options of single or two factor with two factor preferably having a biometric ability;
- When using a biometric it stays secured on the phone and never gets transferred to our server, so it meets privacy concerns around the world;
- With the public key being the part of the credential that is sent from the phone to the PACS system, even if someone manages to get access to the public key they cannot use it to gain any access privileges;
- It is extensible. Already many phone manufacturers are including certified authenticators with their phones and offering various biometric options mostly fingerprint — but iris is available — this gives users some choice as to which biometric to use.
SecureIDNews: How does the FIDO component work with your mobile PACS solution?
Steve Bell: We implemented a FIDO authentication server component on our Controller 6000 that works in parallel with our existing Mifare technology (Desfire, Plus and Classic) and legacy 125Khz technologies.
We took the best practice approach of PIV to do the cryptographic processing of the authentication on the secure side of the door — in our Controller 6000 — with the Gallagher multi-technology reader being a communications gateway between the mobile device and the controller.
Provisioning of credentials to mobile devices is managed through the Gallagher Command Centre user interface and is no more complex then registering a card against a person. To maintain system security Command Centre passes the email address and mobile number to our Mobile Connect cloud server, which then issues an email invitation to the person to enroll. At the start of the registration process it also issues an SMS to the user to provide more assurance that the correct person is registered.
The FIDO credential is sent from the phone to the Cloud Server and Command Centre polls the server to pull the credential into the PACs system.
The email address is never persisted in the Cloud Server and the phone number is deleted as soon as the verification code as been entered. Thus, Gallagher does not maintain any personal information in the Cloud Server.
SecureIDNews: How has the decision to use FIDO been received?
Steve Bell: When we chose to use it, FIDO was still in the early adopter phase and there was some risk that it might not be widely adopted. Now governments are choosing it for replacing passwords as well as big brands, so it appears that FIDO’s future as a standard is assured. Plus, we partnered with Nok Nok, one of the true innovators in FIDO technology. This gives our customers the assurance that the authenticators are as secure as they can possibly be on any mobile device.
Check out a quick video demo of mobile PACS in action: