Increasing protection through multi-factor authentication

Access & Identity Management Handbook 2015 Access Control & Identity Management

Anyone who has an ATM card will be familiar with the two-step authentication needed before you can withdraw cash – your bank card and a PIN code. This is known as multi-factor authentication (MFA) and is now common practice in a number of arenas, including acquiring access to facilities and into company IT systems. Does MFA really provide the levels of security we commonly believe it does, or are we still vulnerable?

The types of authentication include PIN codes, passwords, RFID cards, tokens and biometrics (fingerprint, vein, palm, ear, facial recognition and iris recognition). According to Deon van Rensburg from ViRDI Distribution, HID recently released an authentication tool that is similar to the security certificates one sees on online payment sites. These certificates are sent to a user’s phone and are automatically scanned to the reader using near field communication (NFC). Another tool that a number of access control manufacturers are currently investigating is Samsung’s iBeam technology which uses existing secure Bluetooth technology, so no new hardware or electronic development will be required.

Zane Greeff of Elvey says that although tags and PIN codes are the two most common items, because they belong to the same authentication factor (knowledge), they are considered single-factor authentication (SFA). He adds that it is because of their low cost, ease of implementation and familiarity that PIN codes that have remained the most common form of SFA, but tags and PIN codes are not very secure. Multiple challenge-response questions can provide more security, depending on how they are implemented, and standalone biometric verification methods can also provide more secure single-factor authentication.

Alternatives with pros and cons

Brian Wynberger of Reditron says that the issue that arises with PIN codes is that they need to be random enough so that they cannot be easily guessed by a third party, but they also need to be simple enough to remember. Forgetting them often entails a waiting period while the system generates an alternative temporary password which will then allow the user to create a new password.

The problem with tokens or cards, he says, is that users need to be completely educated on their use and they can be easily lost or misplaced. Biometrics offer a more secure alternative, but if there are issues with scanner quality, false negatives or lack of user education on the use of the technology, delays in the flow through of pedestrian traffic will occur.

So is MFA really necessary? In spite of the pros and cons of each of the individual elements (see Table), the more elements that are introduced into the equation, the harder it will be for an intended intruder to gain access into an area. The number of factors used will be dependent on the identified risks and budgetary constraints. In higher risk areas, generally, there will be more factors in the MFA equation.

Best practice

Best practice in even the least risk prone areas is to have a lower level authentication together with one or more biometric authentication modes. Van Rensburg says that ViRDI adopts a multi-modal approach to authentication whereby fingerprint biometrics with live finger detection and vein readers connected to a facial recognition system. He recommends an RFID card used in conjunction with this multi-modal approach plus a PIN code. This he says provides 25 different options for customers.

Greeff says that an attacker may occasionally break an authentication factor in the physical world. A persistent search of the target premises, for example, might yield an employee card or an ID and password in an organisation’s trash, or carelessly discarded storage containing password databases. If additional factors are required for authentication, however, the attacker would face at least one more obstacle.

Wynberger says that single-factor authentication is archaic as new and more ingenious threats and vulnerabilities become prevalent. There is a 30% less probability of attack when one adds a password to an authentication process (say an RFID tag) and the threat is reduced down to 1% if one adds biometrics to the mix. Adding more factors will eventually reduce the risk to close to zero. Percentages mentioned above are merely for illustration purposes.

Speed of entry and exit also needs to be factored into the decision making process and this obviously needs to be balanced against adding additional time-consuming authentication processes to the equation.

Managing authentication

Managing MFA is another area that needs to be considered. Generally, most systems use proprietary software provided by the supplier, with enrolment taking place using a supplier database protocol. Monitoring and reporting can be undertaken through a third-party software supplier but this can cause issues because any reader updates may not be supported by this. Wynberger says that the systems need to be deeply integrated to ensure both the success of the MFA system as well as its longevity of use.

He feels that a building management system (BMS) may dilute the efficacy of an authentication device’s features due to the sheer size of the BMS. In general, he says, a BMS would merely consider what time a person clocks in and out, neglecting other important issues.

Greef says that one may find proprietary software and management in a secure environment that may or may not include building management modules like elevator access and level access, alarm arm and disarm functions. He adds that Impro caters for use of these factors to assist with building management in terms of time triggered events, for example, to arm an alarm at a specific time.

Choosing what factors/elements work for your specific environment and needs depends largely on whether the environment is a secure or high-secure area. Greeff says that Impro provides a selection of input and output modules that may be used to, for example, only provide the presented tag holder with access to a selected floor in a building that he/she has been pre-authorised to enter.

Francois Lottering of Reditron says that there is a diverse array of technologies available on the market which make MFA feasible and sustainable. The secret is choosing the right supplier and the right combination of technologies. He cites exciting products such as the Ievo range of biometric fingerprint readers that can read down to the fourth layer of skin, making them ideal for people who have damaged fingerprints on a dermal level or users wearing latex gloves. Another is the ViRDI AC7000 reader that considers facial recognition, fingerprints, RFID card and PIN in one package.

For more information contact:

Virdi Distribution, +27 (0)11 454 6006, [email protected], www.virditech.co.za

Reditron, 087 802 CCTV (2288), [email protected], www.reditron.co.za

Elvey Security Technologies, +27 (0) 11 401 6700, [email protected], www.elvey.co.za



Credit(s)





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Palm-vein biometric kiosks secure SAP at Transnet Engineering
Access Control & Identity Management Transport (Industry) Videos
Securing access to SAP is essential to avoid fraud or corruption. Ensuring that users can access the software quickly, easily, and conveniently to do their jobs is also essential.

Read more...
Empower individuals to control their biometric data
Information Security Access Control & Identity Management Security Services & Risk Management
What if your biometrics, now embedded in devices, workplaces, and airports, promising seamless access and enhanced security, was your greatest vulnerability in a cyberattack? Cybercriminals are focusing on knowing where biometric data is stored.

Read more...
Security industry embraces mobile credentials, biometrics and AI
AI & Data Analytics Access Control & Identity Management Integrated Solutions
As organisations navigate an increasingly complex threat landscape, security leaders are making strategic shifts toward unified platforms and emerging technologies, according to the newly released 2025 State of Security and Identity Report from HID.

Read more...
Nice launches DC Blue Astute garage door motor
Nice Group South Africa Technews Publishing News & Events Access Control & Identity Management Perimeter Security, Alarms & Intruder Detection
Nice Systems SA has launched the Nice DC Blue Astute, a garage door motor for the South African market featuring a pre-installed lithium-ion battery instead of traditional lead-acid batteries.

Read more...
Towards a global digital passport?
Access Control & Identity Management
In a world where borders are more connected and closely monitored, the idea of a universal digital passport could revolutionise how we travel, work, and even perceive citizenship.

Read more...
Empower individuals to control their biometric data
Information Security Access Control & Identity Management Security Services & Risk Management
What if your biometrics, now embedded in devices, workplaces, and airports, promising seamless access and enhanced security, was your greatest vulnerability in a cyberattack? Cybercriminals are focusing on knowing where biometric data is stored.

Read more...
A platform for access and identity at Securex 2025
Securex South Africa Access Control & Identity Management Facilities & Building Management
South African companies involved in supplying access control technology, security services, and data management are well-positioned to tap into the expanding access control market at Securex 2025.

Read more...
Background checks: risk levels and compliance
iFacts Access Control & Identity Management Security Services & Risk Management
Conducting background checks is a vital step in the hiring process for employers or when engaging service providers; however, it is crucial to understand the legal framework and regulations governing these checks.

Read more...
Insurance provider uses Net2 For access management
Paxton Access Control & Identity Management Integrated Solutions Healthcare (Industry)
BestMed selected Paxton Net2 for its access control requirements because of its simplicity of installation and ease of navigation for end users, as well as the 5-year warranty.

Read more...
Identity is a cyber issue
Access Control & Identity Management Information Security
Identity and access management telemetry has emerged as the most common source of early threat detection, responsible for seven of the top 10 indicators of compromise leading to security investigations.

Read more...