There are many ways of identifying and authenticating users on a system. In this chapter, you have read about perimeter security and physical barriers to buildings and facilities. You have explored the realm of biometric access controls. In this section, you will read about other technologies that are designed to grant or prevent access to key areas or data.
The most common and widely used physical access control technology is the lock. There are a wide variety of locks, each with their own level of sophistication:
Mechanical locks are most commonly used to secure equipment such as laptops that are easy to steal. Combination and cipher locks are often used to secure sensitive areas within a facility, such as data centers.
In facilities with a large number of physical keys, keeping those keys secure can be a challenge. Electronic key management systems are locked boxes designed to control who has access to the keys and to keep a record of which keys are checked out and by whom. Typically, an EKMS has a keypad or smart card reader mounted near the lockbox. When an individual needs to check out a set of keys, he or she scans the smart card or enters a combination on the keypad. If the credentials are acceptable, the lockbox opens and the user can remove a set of keys from a chamber. The EKMS logs the user ID, a timestamp, and which keys are removed from the lockbox. The system also logs when the keys are returned.
In situations in which more sophisticated access controls are needed, challenge-response tokens on key fobs are useful. These are small devices that display a new code every minute, which are based on public key encryption. The key fob tokens are convenient for the user because of their small size. They are often designed to attach to a key ring, making them more difficult to lose than a loose device.
To access a secured facility, VPN, or other resource, the user is given a challenge. Typically, this is simply a request for a code. The user then uses the key fob device to generate a code, which the user enters into the access control system. If the code is accepted, the user has the opportunity to enter a username and password or some other authentication factor. Challenge-response tokens are generally used in two-stage authentication schemes.
The Common Access Card (CAC) is a smart card issued by the U.S. Department of Defense to military and civilian personnel and contractors. It is used as a single sign-on for secured resources and as an identification card for access to facilities. The CAC includes a magnetic stripe used in card readers for access to facilities. It also includes a digital photograph for visual identification purposes and a microchip that stores a card holder unique identification (CHUID), personally identifying information and privilege data on the cardholder. CACs store basic identity verification data such as name and Social Security number, as well as two fingerprint biometrics.