Access Control


here are different types of access control technologies that can all be used to solve enterprise access solutions. Tokens, smart cards, encrypted keys, and passwords are some of the more popular access control technologies.

Biometric devices authenticate users to access control systems through some sort of personal identifier such as a fingerprint, voiceprint, iris scan, retina scan, facial scan, or signature dynamics. The nice thing about using biometrics is that end-users do not lose or misplace their personal identifier. It's hard to leave your fingers at home. However, biometrics have not caught on as fast as originally anticipated due to the false positives and false negatives that are common when using biometric technologies.

Smart Cards are plastic cards that have integrated circuits or storage receptacles embedded in them. Smart cards with integrated circuits that can execute transactions and are often referred to as "active" smart cards. Cards with memory receptacles that simply store information (such as your bank ATM card) are referred to as "passive." Whether or not a memory card is a type of smart card depends on who you ask and what marketing material you are reading. Used to authenticate users to domains, systems, and networks, smart cards offer two-factor authentication something a user has, and something a user knows. The card is what the user has, and the personal identification number (PIN) is what the person knows.

A token is a handheld device that has a built-in challenge response scheme that authenticates with an enterprise server. Today's leading tokens typically use time-based challenge and response algorithms that constantly change and expire after a certain length of time, e.g., one minute. Like smart cards, tokens use two-factor authentication. However, unlike smart cards, the two-factor authentication is constantly changing based on timed intervals therefore, when a password is entered, it cannot be reused, even if someone sniffing the wire detected it in transit.

Encrypted keys are mathematical algorithms that are used to secure confidential information and verify the authenticity of the people sending and receiving the information. Standards for encrypted keys have been created to make sure that security requirements are taken into account, and to allow technologies made by different vendors to work together. The most widely used standard for encrypted keys is called X.509 digital certificates. Using digital certificates allows you to stipulate who can access and view the information you are encrypting with the key.

Passwords are used for access control more than any other type of solution because they are easy to implement and are extremely versatile. On information technology systems, passwords can be used to write-protect documents, files, directories, and to allow access to systems and resources. The downside to using passwords is that they are among the weakest of the access control technologies that can be implemented. There are numerous password-cracking utilities out on the Internet some of which are freeware and some of which are licensed professional products. If a hacker downloads an encrypted password file, or a write-protected document with password protection, they can run the password file or document through a password cracking utility, obtain the password, and then either enter the system using a legitimate user's account or modify the write-protected document by inserting the correct password when prompted. By using a protocol analyzer, hackers can "sniff" the network traffic on the wire and obtain passwords in plaintext rather easily.