Identification is one of the basic requirements of any access control system. Users must have a way to identify themselves uniquely to a system using technology that ensures they will not be confused with any other user of the system. In this video, learn about two basic means of identification: usernames and access cards.
- [Narrator] Identification is one of the basic requirements of any access control system. Users must have a way to identify themselves uniquely to a system using technology that ensures they will not be confused with any other user of the system. Let's talk about two common identification mechanisms, usernames and access cards. Usernames are by far the most common means of identification for electronic systems. Organizations typically provide every individual who will access their computing systems with a unique identifier that they use across all electronic systems.
Commonly usernames take the form of a first initial and last name or a similar pattern that makes it easy for those seeing the username to identify the corresponding person. Remember, usernames are for identification, not authentication, so there's no need to keep them secret. Obvious usernames make everyone's lives easier. Organizations also commonly use card-based identification systems. Many organizations issue employee identification cards to their entire staff, and that card often acts as the primary proof of employment.
Some cards also serve as access control devices for entering buildings or sensitive areas. They sometimes also provide access to electronic systems. In these cases identification cards may serve as both an identification and an authentication tool. Card-based systems require the use of a reader, and the reading mechanism varies across card systems. The most basic card readers use magnetic stripes similar to the one that appears on the back of your credit cards.
These magnetic stripes are easily duplicated with readily available equipment so they should not be considered secure. Anyone who gains possession of a magnetic stripe card or even knows how the card is encoded can create a copy of that card. Smart cards take identification card technology to the next level by making it much more difficult to forge cards. Smart cards contain an integrated circuit chip that works with the card reader to prove the authenticity of the card. Some smart cards are read by directly inserting them into a card reader.
The Department of Defense Common Access Card, shown here, is one such card. Chip and pin credit cards use similar technology. When a user wants to identify to a system, he or she inserts the smart card into a reader that interacts with the card's chip. Contactless smart cards or proximity cards simply need to be placed near the reader. An antenna in the card communicates with the reader. Some of these cards, known as passive cards, must be placed into or extremely close to the reader to work properly.
They receive the power from the reader that energizes the chip so they last indefinitely. Other proximity cards, known as active cards, contain batteries and transmitters. They use these batteries and can then transmit over longer distances and be read from several feet away. Toll transponders use this technology. The disadvantage to active cards is that they contain batteries and must be replaced periodically. Whichever technology you use, an identification system must at least satisfy the basic requirement of uniquely identifying system users.
Looking for study partners?Join the CISSP Exam study group
Prepare for the CISSP exam while you learn industry best practices for identity and access management (IAM). IAM is covered in the fifth domain of the exam, and comprises 13% of the test questions for the highly prized IT security certification. This course includes coverage of the core components of IAM: identification, authentication, authorization, and accountability. Learn how to control both the physical and logical access to your hardware, information systems, and data. Instructor Mike Chapple, the author of our nine-part CISSP test prep series, also covers credential management, external identity management, and prevention and mitigation of access control attacks. Members who take all eight courses in the series will be prepared to take the CISSP exam.
You can sign up for Mike's free study group at certmike.com, and find his study guides at the Sybex test prep site. To review the complete CISSP Body of Knowledge, visit https://www.isc2.org/cissp-domains/default.aspx.
- Identity and access management overview
- Identification mechanisms: user names, access cards, biometrics, and registration
- Authentication factors
- Password authentication protocols
- Identity as a service (IDaaS)
- Enforcing accountability
- Managing credentials with policies
- Using access control lists
- Defending against access control attacks