Multi-Factor Authentication via Smart Cards

Multi-factor authentication (MFA) provides different facets for data confidentiality through authentication. These facets have three categories where the basic idea is to make sure that the person requesting access is who they say they are. This is done by having an implementation of more than one of the categories:

1. Something you know - This is seen in regular small office home office setups through the use of username and password. 
2. Something you have - Like a smart card, which is a common enterprise niche.
3. Something you are - Biometrics signatures provide a unique value from a person. ie fingerprint

Large scale enterprises and government clients are more aware of access risks. This causes distress to system administrators considering security a top priority. So, developing strategies for authentication is necessary for data to remain appropriately confidential. To add smart cards to an organization already using passwords provides multi-factor authentication that drastically mitigates access risk. Therefore it is important for system administrators to have a high level idea of how they administered. Let's start with definitions.

What is a smart card?

Per mentioned, smart cards fit the 'something you have' category of multi-factor authentication. It is a physical card with a chip that provides a certificate to a machine. The certificate provides proof that the owner of this certificate is to be granted access.

How do you administer a smart card?

It's simple enough really. Usually the smart card has a certificate with an associated pin. The certificate is then uploaded to an authentication server via Active Directory or manual export. So, whenever the smart card is on a client machine and requests access to the authentication server, the server makes sure the certificate is a match and allows access.

So a briefer in bullet points:
1. Smart card certificate is uploaded to authentication server.
2. It is configured into a user and their appropriate access levels.
3. Smart card now represents user.
4. Authentication at client level with smart card, references to certificate in authentication server and authentication server provides appropriate access as per user.

It's a simple setup really. To make systems more protected, 'something you are' could be implemented. But two categories of the three found for multi-factor authentication can allow a system administrator to sleep at night.

Building Entrance Sploit

The strongest cup of coffee I've ever had was at a giant tech enterprise. You would know it if I mentioned the company. Hint, their products are responsible for over 50% of the world's Internet traffic. I think the coffee was so strong because of early shift teams. With days starting at 6:30 in the morning. Typical for a NOC crew. Being groggy is normal before that first cup. It'll be easy to forget important things at home, like your access badge. The early crew will relate to this. Thus the building entrance can be socially exploitable.

Day one working at this enterprise, I'm told to get a few teammates' phone numbers in the case I forget my access badge. So, specific cases do exist where it is appropriate to allow others into the building. For instance, a team member waits outside at 6:30 am knowing that someone they recognize will let them into the building. But... What happens when people in that shift start getting used to this? What if someone this early stands outside and gives a reasonable excuse like they know someone you know in the building? What if they were malicious?

An encryption consultant thinks about how to protect data and protects multiple avenues to ensure it's confidentiality and integrity. It's their job to keep things secure; this spreads to other aspects of their lives. On the other hand, others do not think about security as much because it is not part of their day to day work schedule. For instance, a customer service specialist focuses on how to best come to an agreeable compromise. They don't need to give much thought to security.

The most common vulnerability is the human factor. Machines are easier to secure provided limited constraints. They are not susceptible to social engineering. This is why top security concerns for employees of large organizations must be aware of these issues. They are the gate keepers and do hold some form of responsibility. Periodic training training is recommended to remind employees of this. After all, it's easy to forget without coffee.