First Access: Authentication Suite

by Paul Grosse - June 1998

Introduction

In an ideal world, an end user should be able to log onto their workstation simply by sitting down at it and when they get up to go away, the machine will automatically disable itself until they come back. To extend this, if, in the mean time, another user wishes to use that machine, they should be able to log on and execute any tasks that they are authorised to do without gaining access to or interfering with the first user's work.

To some extent, this situation already exists with card based token systems but there are a number of problems with the way that these systems work in reality - as the cards have to be handled by the user, they tend to get left in or next to the readers while the users walk away for short periods and, in the case of notebooks, the cards are usually left with the machine thus rendering the authentication system useless and, more importantly, placing in jeopardy the data that the authentication system was supposedly protecting in the first place.

Educating the end users only produces temporary improvements with bad habits soon returning. First Access have come up with a solution that precludes the generation of such habits by not requiring the end user to handle the token at all - the card merely has to be within a predetermined distance of a few metres or less - therefore, there is no chance that it will be left in a card reader. In addition, due to the fact that the cards are polled continually, the system is immediately aware of when a user leaves their machine especially if the company's general security policy dictates that the authentication token should also be a Personnel ID badge.

Products

Due for general release during the last quarter of 1998, First Access' products are effectively: First Access Card; First Access Sensor; and the client, server and management software that is required to run the system - these being packaged variously as: First Access Enterprise - a complete authentication and authorisation system for the enterprise network; First Access WorkStation - a solution designed to integrate Vicinity Authentication capabilities into an existing authentication system; and, First Access Hardware Kit - for OEM integration.

First Access Enterprise

First Access Enterprise offers a company the complete vicinity authentication solution, providing all of the necessary components to install and run the system: First Access Card; First Access Sensor; First Access Server; and, First Access Manager.

First Access Card

Like most other tokens, First Access Card is the size of a credit card and contains all of the electronic components required to interact with the First Access Sensor.

Internally, it contains memory and processing power in order to identify itself securely to the sensor and, in addition to this, it may carry details about the owner of the card and may even be used to hold encryption keys.

Externally, companies may print company and employee specific information on the card thereby bringing the use of the card in line with company ID cards which are already accepted by the end user population. Cards sporting a company logo and the name and a photograph of the employee are less likely to be used in authentication fraud in open plan offices. In the event of a card being stolen, it can be disabled as soon as this is reported. In addition, sites where visitors are accompanied may use the tokens as visitor's cards with certain computer functions or display restricted when the sensor detects the presence of a visitor card in addition to the logged on user.

First Access Sensor

First Access sensor is the system's card reader but, unlike other card readers that either make electrical or magnetic contact with a card or require the card to be within a few centimetres of the reader, First Access' reader will detect and identify cards at a distance of up to five metres (this distance may be reduced where the situation dictates such as in situations where there is a high density of workstations).

Physically, the desktop sensor measures approximately 14 cm (~5.5") wide x 7 cm (~2.75") deep x 4 cm (~1.5") high and sits on the desk by the keyboard. It plugs into the machine via either a RS232 COM port, keyboard socket or the new USB ports that are now appearing on commercially available machines thus enabling plug and play hot-swapping. The actual electronics inside are small enough to allow them to be put inside a laptop thereby extending the functionality of the system to teleworkers and 'on the road workers' such as sales representatives - this latter class of user being particularly vulnerable to having machines stolen or left in places. Consideration is being made to reducing the size of the chipset so that palmtop computers can be included in the future.

Unlike many authentication systems where a user is authenticated and then simply left to get on with his job in the hope that when they have finished or move away from the workstation for a short time, they will take the trouble to log off, First Access' system continuously polls for cards that it can recognise within its range.

When a user with a valid card approaches a sensor, the sensor and the card communicate with each other and the user specific information is read into the system using asymmetric encryption, triple DES and certificates thus reducing any reasonable chance of sniffing or spoofing the system and making a given system company or department specific. The sensor interrogates the user database and determines whether or not that user is permitted to use that workstation and, if they are, what parts of the system they are authorised to access. If all is well, and the machine is not in use, the user enters their PIN (if the system is configured to require this) and they then log in as normal.

So far, the only difference between the First Access system and other systems is that the user is not required to handle the card. However, any other similarities soon disappears because the sensor polls for the presence of cards continually so that when the user leaves the workstation, the workstation enters AutoLock mode, disabling access to the computer from unauthorised users. More importantly, any background processes continue so that processing power is not wasted.

While the original user is away, other, authorised users may log in and user the workstation but without access to the original user's current work. This type of system has many applications, especially in banks, hospitals and airport terminals where access to personal details may be required but access to the terminal needs to be disabled when left alone - even for short periods of time.

As the system does not require the user to handle the card, it can stay fastened to the user's lapel or in the user's pocket in the case of on the road users thereby significantly reducing the opportunity or tendency to leave it in or with the computer. In addition, visitors do not need to be told that their visitors ID card tells the computer that they are close enough to it to constitute a security risk and result in temporary disablement of that workstation - thus visits by sales representatives and other 'alien' personnel may take place without risk to computer system security or company diplomatic relations.

Like all card readers, nothing of any security value is stored on the reader itself so, if it is stolen, there are no repercussions on security - the only consequences are that of short term denial of service.

First Access Server

The First Access Server contains the user database and therefore details of cards, passwords / PINs, users associated with those cards, the machines that the users are permitted access to, the facilities on those machines that they are authorised to use and times of day, day of week and so on. It supports RADIUS (Remote Authentication Dial In User Service) and Kerebos protocols and therefore may be incorporated into existing systems with a minimum of annoyance. Communications with the server are encrypted so that sniffing and spoofing can be kept at bay. The server is administrated from First Access Manager which, because of encrypted communications may be performed remotely.

First Access Manager

First Access Manager allows each user to be permitted access to a subset of workstations and use certain resources. Access may be configured such that the user will be able to gain access merely by approaching the sensor (valid applications of this are where other security filters apply such as access to teller terminals in banks being covered by physical restrictions to the machine such as key coded doors and armoured glass); being required to type in a PIN each time; or at specific times of day (such as out of hours) or specific days of the week (such as weekends); or, having to type in a PIN every so often even though they have not left their workstation. The system may also be configured such that a minimum number of people with the correct clearance have to be present before access is granted and then, not so if people without appropriate clearance are present.

Needless to say that administrators must log in with First Access Card in order to gain access to the First Access Manager whether on-site or remotely via an encrypted connection. In addition, logging attempts, successful or otherwise, may be logged by the system and viewed by the administrator. The First Access system integrates with the NT User manager - providing extra options and menus - in the same way that many security products do. It supports the PC/SC and OCF (Open Card Framework) and, it is claimed, is integrated with GINA (Graphical Identification and Authentication).

First Access WorkStation

First Access Workstation is designed to integrate Vicinity Authentication capabilities into an existing authentication system. Using the First Access Card and First Access Sensor described above, it is able to interface with existing software products such as e-mail using Microsoft's Smart Card SDK and hardware products such as telephone systems and photocopiers using a First Access interface option.

Just as the power and connectivity of multimedia computers permits the use of more than just word processors and spreadsheets - once purchased, the functionality extends to voice-mail, fax, scanning and so on with only a minimum of extra investment - the vicinity detection capabilities of the First Access system extends, for example, to an automatic follow-me function for company telephone systems where users are no longer required to remember to inform the exchange of the next telephone number.

The First Access system is scaleable from thousands of users down to single users with First Access Lite Client as a no-server option for the SOHO single user with all of the appropriate administration being performed on the single workstation.

First Access Hardware Kit

In order to facilitate the integration of First Access systems into other manufacturer's systems, First Access offer the component parts (described above) to OEMs and VARs to integrate with existing software and hardware products or to incorporate the First Access system as a whole. First Access will be available, not only to companies purchasing through VARs but also to the security conscious general public via resellers.

Platforms

Server:

• Windows NT 3.5X; 4.X; and, 5.X.

Client:

Software:

• Windows 95; Windows NT 3.5X; 4.X; and, 5.X.

Hardware:

• Minimum requirements for operating system in addition to: Serial Port or USB or Keyboard connection. Does not require any additional power supply.

Pricing

Most networks (around 100 seats) should cost $189 per workstation with a sliding scale reduction for larger orders (Includes the cards, sensor, client and server software).

For smaller networks (5 to 10 seats), the server software will be priced separately.

Opinion

Token based authentication systems only check the identity of the card - and by implication the user - at the start of the session and ultimately require the user to remember to log off if he has to leave the workstation for some reason. Conventionally, when a system requires that cards are read, they are either swiped (magnetic cards - in which case the computer has lost touch with it straight away) or placed in the reader (smartcards - creating a tendency to leave the card in the reader even when leaving the machine for short periods). In both cases, the user has to interact with the card in addition to the supporting software.

First Access' card, however, allows the user to leave the card where it is - on the lapel or in a pocket - thereby removing a chance to forget where they have put it or leave it in the machine. As the card is monitored continuously the computer is aware the moment a card (and by implication the user) leaves the computer and is able to disable access to that machine. Such a point makes this type of authentication ideal for situations where terminals displaying personal details are likely to be left for short periods of time - such as banks, hospitals, airports and so on. In addition, once this technology is installed and paid for, the possibilities for simple additional functionality in the office environment occur, such as managing access to photocopying resources and, automated access restrictions or follow-me capabilities on company telephone services.

The device works on radio technology but concerns over the effects of radio field strength on office workers should be few as the range of the device - in order to add further security and reduce power consumption - is only a few metres compared to ranges of tens of miles for cellular telephones which are already accepted. It is anticipated with confidence that it will be fully FCC approved and it should also be considered that it will use less power than a wireless LAN.

Detection and identification of more than one card in a given area is of particular use in situations where it is prescribed that at least two authorised persons are required to be present in order to carry out a particular procedure - certificate authorities, government and military procedures are some examples. For the first time, the continued presence of the people concerned may be monitored.

There are some instances where simply approaching the sensor with the card is all that is required to maintain the appropriate level of security. One example is that of bank tellers where personal details are displayed on the monitors but the only way to gain access is; through a secure door into an environment where strangers will be noticed; or, through the bullet proof glass partition. In the latter case, it should be remembered that anyone seriously considering gaining access to the workstation via this route would find their way through any security device by threatening the staff.

Strengths

• The user is logged off automatically as they walk away thus reducing the possibility of opportunistic idle browsing of information on the monitor. Other token based systems require the user to remember to log off or take a card out of a reader.
• Visitors badges may be tokens so that their ability to see things that they should not is reduced. It should be remembered that the system only identifies the card, not the user and unless there is a culture of everyone wearing an ID card, including visitors, the visitor always has the option of taking the card off.
• The system uses industry standard authentication systems such as Kerebos and RADIUS therefore the system should integrate well with existing authentication systems where they are in place.

Weaknesses

• Systems administrators eager to please the end users may be coerced into setting up the system so that the end user is logged into the system simply by walking into an area when the real security requirements dictate that they should type in a PIN as well. It should be remembered that the system should work at the highest acceptable level of security appropriate for the job and not the lowest.
• Like all token systems, it is the token and not the user that identifies itself to the system. A PIN is used to reduce the likelihood of authentication fraud but it must be remembered that this piece of information is reproducible and may be obtained from the bona fides user by coercion or social engineering just like any other password or PIN. Stopping the end user population writing down passwords and PINs will strengthen this aspect of security but it will not stop social engineering and coercion.
• The system's strength - it knows where people are at a given time - will, in some instances, lead to difficulties in the system's acceptance by the work-force. Implementing such a powerful system will mean that Big Brother will know exactly where any worker is, who they are with and for how long. Such an invasion of privacy has clear advantages for add on bonus systems such as an automatic follow-me facility for a telephone system but workers like to have some privacy and unless the system is implemented in a careful, balanced manner (possibly with large 'dead zones' that can be demonstrated convincingly) that takes into account the needs of the work-force, there could be trouble.

Conclusions

At the time of writing, First Access' products have been built and work but are in the beta testing stage with a large number of interested companies in United States, Israel, United Kingdom and Hong Kong - banks appearing to be particularly interested in the product suite.

First Access have good support from their financial backers who are well connected in the computer security field and as a cofounder of the OCF, is well placed in the smartcard market which, in five years time, should have more than doubled the 1.2 billion cards that are in circulation today - a market that is predicted to be worth $2.3 billion per annum by 2002.

First Access has already picked up a 'Best of Show' award at CeBIT '98 in Hannover, Germany this year and if their product becomes established and lives up to expectations, should shape the smartcard authentication market for some time to come.

Company Profile

From a background working as a software engineer for Security Seven - an Anti-Virus software company in Israel - Moshe Elgressy formed First Access in order to provide a 'complete intra-corporate authentication system for the enterprise network' and now, as CEO, manages the development of the company's product line. Shortly after the founding of the company, First Access secured a $1.5 million investment from Neurone - one of Israel's leading technology venture capital fund. Neurone is funded by Checkpoint Software, Emmet Computers/Sun Microsystems and Nisko/Siemens. Now, with its headquarters in Haifa, the company employs around 20 people of which, around three quarters are engineers.

First Access' product range is currently being developed but is established on a 'vicinity' based authentication token (rather than proximity based - the emphasis being on no physical contact required in order to use the system) and the hardware and software associated with it. The range comprises of First Access Card, First Access Sensor and the software required to implement the solution at both the client and server / management end with the target market being OEMs (for which there is a Hardware Kit) and Resellers.

First Access is a founder member of the Open Card Framework (OCF) 1.0 reference implementation which is based upon Sun Microsystem's Java architecture. The OCF initiative began in March 1997 with Bull Personal Transaction Systems, Dallas Semiconductor Corporation, First Access, Gemplus, IBM, NCI, Netscape Communications Corporation, Schlumberger, SCM Microsystems, Sun Microsystems Inc., UbiQ Inc., and Visa International as founding members.

First Access' mission is to be 'committed to developing the best, practical Authentication Solutions for the enterprise'; to 'become the market leader in enterprise PCs and NCs security solutions'; to have 'the phrase "Vicinity Authentication" . . . associated with First Access as the creator of the new industry standard'; and to 'continue as technology leaders, creating state-of-the-art products and solutions.' The company's First Access Enterprise Suite won Byte Magazine's 'Best of Show' award at CeBIT '98 in Hannover, Germany.

Some estimates put the growth of smartcards at around 140% per annum over the next ten years with predictions that contactless smartcards - such as First Access' - will grow 250 fold from 1995 to 2001. First Access is the first company to try to secure the 'Vicinity Authentication' market - with backing from neurone and its funding members, together with its relationships with the other members of the OCF initiative (being in a position to incorporate First Access products in their equipment), First Access appears to be well prepared to take advantage of the situation and secure it for itself.

Company Contact Information:
First Access Limited
10 Markoni Street
Haifa
Israel
Tel: +972 4 840 3322
Fax: +972 4 840 3399
Email: info@access-1.com
WWW: http://www.access-1.com/

Copyright (c) 1998 P. A. Grosse. All Rights Reserved.

Back to the Internet Security Index

Back to the Index