Home > Authentication, Identity & Access Management, InfoSec, Manufacturers > Aladdin Dabbles Better Than HID Strategizes

Aladdin Dabbles Better Than HID Strategizes

Why haven’t I seen a cool press release from HID about Crescendo like this?  Oh, I forgot, Crescendo is just a card…

Now for a really cool announcement.  Aladdin, innovator in cards and the infrastructure that supports them, but which barely has a clue about physical and logical security convergence, announced a deal with mega-integrator, Unisys.  The integrator will deploy more than 28,000 Aladdin eToken smart cards to provide employees with integrated physical/data access at 300 of Unisys’ worldwide facilities. 

So here is an IT software company making a dramatic entry into converged physical and logical access with essentially no understanding of the physical security industry.  Meanwhile, HID, the so-called leader in door access cards and readers, keeps its foot squarely on the brakes.  I heard an HID executive at ISC explain why HID "can’t afford" to have a strategy to embrace the future.  I guess Aladdin, a software company best known for its digital rights management solution can put together an effective  "futuristic" solution like this, but HID cannot.

Don’t worry, HID.  For all I know, the Aladdin cards are being used with HID readers – so you’ll still have some business left.

Aladdin eToken smart cards (about the size a typical credit card) serve an efficient, dual role for employees, allowing them to use the eToken smart card to gain physical access to offices while also using the same eToken smart card for Windows Network Logon. The integrated authentication solution illustrates the efficiency that can be gained by maximizing the flexibility and power of eToken smart cards solutions. "We selected Aladdin eToken for widespread deployment at Unisys because of its proven reliability and high performance during extensive testing and evaluation," said John D. Frymier, director of information security, Unisys. "Convenience, performance, seamless integration and ease of use are critical, since thousands of employees with digital credentials will use them to enter a Unisys facility and log on to the network. This integrated solution maximizes the use of smart card technology, creating a streamlined tool that provides a simple and consistent layer of security."

  1. Robert A. Book
    April 11, 2007 at 8:26 pm

    As long as we’re dreaming, is it OK to ask whether the dream of fully integrated solutions might lead to a world that is less, rather than more, secure?
    If you use the same card or token or whatever to get in the door, logon to the network, access your e-mail, and decrypt it … then if you drop the token on the sidewalk and I pick it up, I have EVERYTHING. It is a bit like having “all your eggs in one basket” or all your investment dollars in one (penny) stock.
    If you have different tokens for everything, then if you drop your door key, I can get in the building but can’t get on the network. If you drop your network key (or the post-it with your password), I might be able to get into the network — but I can’t get into the building, so maybe not.
    In other words, with different tokens, you have slightly more inconvenience and a slightly higher chance of losing something — but a much smaller change of losing everything.

  2. April 12, 2007 at 6:16 am

    What you’ve presented here, Dr. Book, is the “keys to the kingdom” argument which is standard fare when talking about authentication and authorization. If I find that key, I have access to the kingdom.
    There are two reasons that one key is more secure than many. The first is that one key is used frequently, while any one key in a group of many may be used quite infrequently. Therefore, a single lost key from the bunch could go unnoticed for a long time, creating a large window of opportunity for loss. Conversely, losing a single key will likely be noticed and reported relatively quickly. (a short window of opportunity for great loss). Since time increases risk (and premeditation), always opt for the short window.
    The second reason is that a single authentication token is usually designed and deployed as a conveniece and low-level privacy device when used by itself. That is, when I swipe a card to get into a door, it is a low-level privacy event. However, as risk increases so do complementary security measures, such as using a PIN (something I have + something I know).
    Assuming the folks deploying the security system actually know something about security, the we can even be more comfortable with reason number one: A short window of opportunity for great loss will only apply to doors or assets NOT considered to be of great value.

  3. April 12, 2007 at 10:00 am

    The more functions the card has on it, the more (intrinsic) value it has to the employee, and the less likely it is to be lost. Additionally, the MORE likely it is to be reported in the event of a loss … the employee cannot log on to his computer at work, which means he cannot work, which means he must report the lost card.
    Good security, then, is dependant on sound policies to support sound design, not only of the card but also the back-end systems. Although the systems may have been designed as “integrated”, effective logic should be put in place to ensure appropriate action is taken after a particular event.
    In this case, a report to IT that the employee lost his network login card should trigger automatic revocation of the card’s logical access credentials, physical access credentials, vending/purchasing capabilities and any other function the card may contain.
    In my mind this forces BETTER security, and a quick resolution by producing a replacement card (at a $40 fee – these cards are expensive, yet another reason for the employee not to lose their card).

  4. April 12, 2007 at 10:18 am

    One of the issues I see with Aladdin’s eToken appears to be the lack of the dual-chip or dual-interface option for the smart card. Looks like it’s a contact chip combined with standard 125 khz prox technology.
    I’d like to see them combine it with a Mifare chip or perhaps a dual contact/contactless interface on a single chip (accessing different sectors and different functions). This would maximize the options and usability of the card for any number of applications.
    And doesn’t FIPS-201 require it? It may open up the federal market for them.

  5. April 15, 2007 at 11:21 am

    I went and read the Aladdin press release after reading Robert Book’s comment.
    The press release only says that the card will be used for Windows Logon – it doesn’t specifically state that this is the only piece of authentication.
    I could see a process wherein the card allows access and then a PIN or password is also needed – as Steve noted. There would be no reason for Aladdin to announce that in their publication.
    The good thing about 2 factor authentication: it wouldn’t be necessary to make users change passwords or PIN’s continually. Right now, I can tell you that complicated passwords are the Achilles Heel of security. Anyone who doesn’t think so, hasn’t talked to normal everyday users.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: