In a digital world where physical and cyber threats are becoming increasingly sophisticated, businesses and organizations must stay one step ahead to protect their sensitive data. Enter federated access control.
In this article, I’ll explore what federated identity is, the benefits, and the problems federated identity can solve for physical access control.
What is federated identity?
Federated identity, also known as federated identity management (FIM) or federated identity authentication, is a type of digital identity management that enables users to access multiple systems using a single set of login credentials.
Federated identity is a technology you may have already experienced through Single Sign On (SSO). Where, once logged into your corporate system you can move between separate software applications without having to log in separately to each one.
How does federated identity work?
Federated identity is based on mutual trust relationships between a service provider like an application vendor and an identity provider.
Behind the scenes, there will be an identity provider that has validated your identity. This identity provider has services that allow other applications to forward your sign on request. If you have a valid live session you won't need to sign in again. Instead, the identity provider will return a unique token to the application that will represent you.
However, if you do not have a valid live session, the identity provider will request your identity through a username or email address and one or more authenticators. These authenticators can include passwords, one-time codes, biometrics, PIN’s, or verification through another channel such as a mobile device. Once you have successfully authenticated your identity the identity provider will respond to the application with your unique identity token and your session can begin.
What are the benefits of federated identity?
Federated identity offers several benefits including:
- Privacy
- Enhanced security
- Ease of use
Privacy
Federated identity minimizes the amount of personal information that needs to be shared with other applications. Once the identity provider has authenticated you there is normally less need for the other applications to have your personal information.
Enhanced security
Federated identity also provides enhanced security as make it more difficult for anybody to impersonate another person’s identity due to stronger authentication normally with the use of multi-factor authentication (MFA) or two factor authentication (2FA).
Ease of use
But the key advantage is the ease of logging onto your regular apps, saving time, and effort.
Examples of federated identity
Numerous organizations across different industries have already adopted federated access control to strengthen their security posture.
Some examples of federated identity include:
- Corporate networks
- Social media platforms
- Government solutions
Corporate networks
Your employer’s corporate network using single sign-on (SSO).
Social media platforms
Facebook is a great example of a social media platform that maintains a huge number of identities and offers a federated identity service to other applications. With this service, you can sign on to various applications using your Facebook credentials. However, it’s worth noting that social media identity providers may not put as much diligence into verifying your identity as your employer or a government agency.
Government solutions
The governments of many countries will have a federated identity provider that gives access to online services provided by various government agencies. For example, I live in New Zealand and our government has a Federated Identity service called RealMe. It allows me to log into services from more than 60 different agencies or government services as well as validate my identity for a lot of non-government entities such as banks and financial institutions.
Another example of a government Federated Identity is India’s Aadhaar, which is moving towards 1 ½ billion people enrolled. Aadhaar also enrolls a biometric for each person.
What problem can federated identity solve for physical access control?
Physical access control systems that rely on a card or electronic token to grant access to locations on a campus or in buildings can pose some challenges. In many situations an individual will need to have access to multiple different systems, which means they will have to carry multiple access cards.
There are several examples of where this occurs:
- A person has an access card issued by their employer. However, the office where they work is located inside a building that has its own access control system. Therefore, everyone in the building must use a card to access elevators or other shared services such as a gym or rest rooms.
- A business campus is another example similar to the above where there are several service providers who may require an access card for provision of a service.
- Government employees and contractors often have access to multiple different buildings or spaces. These will likely be provided by different Government entities and will have their own access card.
What is required for federated identity in access control?
To enable federated identity for access control with a good level of security, a credential must have several characteristics. These characteristics provide the owner of a facility (relying party) with confidence that only authorized people will gain access to a building.
- Strong Authentication – The authentication should have a strong cryptographic key that ensures it is infeasible for the credential to be cloned or otherwise reverse engineered.
- Revocation – When a credential issuer no longer trusts the person, or the credential is lost there must be an automated mechanism to inform the access control systems that have enrolled that credential so that access can be removed.
- The access control system of each relying party must support the credential technology used.
- When there are several credential issuers in a federated access control ecosystem, it is important that all issuers use the same level of due diligence in the identity validation.
Successful examples of federated identity in physical access control
Governments have a large number of employees and contractors who require access to multiple facilities that may be operated by different departments. One option that has been successful for Governments is to design their own access credential and then invite system vendors to support this credential in their card readers, controllers, and servers.
United States Government FIPS 201 (PIV)
The United States President mandated the development and deployment of a credential, called Personal Identity Verification (PIV), for all government and defense employees and contractors in HSDP 12 in 2004.
NIST (National Institute of Standards and Technology) took the responsibility to develop a standard, FIPS 201, for this credential. The standard included the process for identity verification during the issuance process for the credential. These credentials were then to be used by all staff and contractors for both physical and logical (computer and network access) access control.
The technology for the credential is a smart card applet with various items accessible via the contact interface and a subset of functions through the contactless interface. Authentication is provided by PKI based certificates with fingerprint and iris biometric options available for multi-factor authentication along with an on-card PIN to unlock access to the primary certificate. An additional certificate could optionally be added to allow users to sign documents to a very high level of authority.
Digital certificates are the best-known technology for federated identity authentication and represent the excellent digital authentication with the ability to scale to meet future technology changes including quantum computing. The infrastructure to support digital certificates is well known and very mature.
The standard is designed to allow vendors to provide solutions for one or more subsystems that are required to fulfil the standard. The GSA (General Services Administration) takes the responsibility to manage the approval of products and the maintenance of an approved products list (APL) from which the agencies will purchase approved products.
PIV took several years and an overhaul of the APL testing process to achieve solutions that fully implemented the intent of the HSDP12 directive, and the process of implementing PIV throughout all of the United States government has also taken many years.
PIV has been the most ambitious attempt to implement federated identity for physical access control. If it is implemented according to the standard, then it is fully interoperable and trustworthy. The standards are fully published so that any other government or group could take it on with minimum modification and make it fit their needs. The infrastructure for PIV is not trivial but also not significantly different from the needs of authentication across computer systems so the technology is well known.
United Kingdom Government GovPass
GovPass is a specification developed by the UK Cabinet Office and released in 2021. It is narrower in scope than PIV with physical access control being the only purpose. To ensure affordability of the technology along with suitable security, the token chosen for GovPass is the MIFARE EV2 and EV3 card. These cards are the most suitable option for symmetric keyed cards.
GovPass mitigates the risks associated with the shared secret of a symmetric keys by designing a centralized issuance process and the provision of separate keys for each agency in Government plus the pre-population of generational sets of keys. This means that for each agency the keys can be “rolled” (one set of keys are retired and the system uses the next generational key set) several times before the cards would need to be reissued.
There are detailed requirements for card readers and systems and the handling as well as the protection of keys. Vendors and system components also need to be validated for compliance prior to approval for use in GovPass systems.
Revocation is enabled by a service published by the GovPass provisioning office that will inform access control systems if a card is no longer trusted.
Both PIV and GovPass implement the requirements for identity vetting, strong authentication, revocation, and a product approval process that ensures there are multiple providers of system components.
Meeting those four requirements have been essential for these systems to be true federated identity options for physical access control. Together they mitigate the security risks of trusting an access token issued by a different party.
The governments of these countries, along with the cardholders, are now experiencing the benefits of enhanced security and ease of use.
As the security landscape continues to evolve, organizations that embrace federated access control will be better equipped to protect their sensitive data and stay one step ahead of physical and cyber threats.