Using RFID cards
to access information systems
Using the unified access card on the basis of employee pass and integration of logical access and physical access control system
In most of the modern enterprises, the employees uses proximity cards (passes) to gain physical access to business centre, to office, to plant territory etc. Such cards are often used as identity cards - they have employee photo, name and position printed on them. Using such cards is a common practice today. So it is quite consistent to expand this practice also to logical access to the company information systems.
The following tasks can be set for using the passes for employee authentication:
- Authentication of users should be provided for upon access to
- Windows operating system (domain PC)
- target applications
To solve the task, the Indeed Access Manager (Indeed AM) software suite is used. The suite allows for implementation of required authentication scenarios in Windows operating system and applications.
Access to Windows system is provided for by Indeed AM Windows Logon component using the account data of the Active Directory domain. The component implements the Credential Provider - an interface for access to operating system. The standard OS login interface is substituted by the Indeed AM Windows Logon interface. The latter provides for using various authentication technologies, including RFID protection cards.
Integration to Windows is carried out using standard protocols. This provides for compatibility with the Windows authentication subsystem and using of Indeed AM Windows Logon in different access scenarios: local logon to PC, remote desktop (RDP), authentication within OS bounds. The system is centralized, so several employees can login to one and the same PC using their domain accounts and pass cards. Also, one and the same employee can logon to any PC in the domain.
The Indeed AM Windows Logon can operate in one-factor authentication mode, when it is sufficient to place the card on the reader to authenticate. It also supports two-factor authentication mode, when it is required to place the card on the reader and enter PIN code. The proximity card can be combined with other authentication factors upon request, e.g., with fingerprint.
The Indeed AM supports the following proximity card formats:
- EM Marin
- HID Prox
- HID iClass
Indeed Access Manager does not substitute the standard Active Directory authentication system, but automates the process of user password management. In such configuration, the password authentication becomes an internal mechanism used at software level only. At the moment of registering the first authenticator (biometric template etc.) in the Indeed Access Manager, the user password is automatically changed to a random value that neither the user, nor the system administrator are informed of . Thus, access to domain becomes possible with Indeed AM technology only. Later on, the user password is automatically changed either upon operating system prompt, or according to the schedule set.
The Indeed AM Windows Logon supports the standard “Behaviour upon smart card removal” domain policy. The latter can be configured to lock Windows session when a user removes pass card from the reader. This allows for increase of information security by locking PC when the user leaves working place.
The Indeed AM Enterprise Single Sign-On (Indeed AM ESSO) component is used to implement the biometric authentication for the applications used by employees on their PC (thin or thick clients). The Indeed AM ESSO allows for integration to the target application without software interference with the application operation. To do so, interception of login, password unlock and change forms is used for an application. The interception is performed by the Indeed AM ESSO agent, installed onto user workstations. When login form of the target application is displayed, the screen is locked and the user has to perform authentication: place his/her finger onto fingerprint scanner etc. After that, the Indeed AM ESSO agent automatically fills in the login form and the user gains access to application.
Optionally, you can integrate the suite to physical access control system in order to determine the employee location at the moment of authentication. For this, a special module is to be developed, that would allow to receive the data on the employee pass card registration location (building / perimeter) from physical access control system. The Indeed Access Manager server shall request the employee location from physical access control system with this module before allowing or disallowing access to PC. If the PC accessed and the user are registered in different rooms/perimeters, access would be disallowed even if the authentication data is correct.
The general scheme of the solution is given below.
The Indeed Access Manager contains the following main components:
Indeed AM Server (Server) is the server component of Indeed Access Manager infrastructure. The server provides for centralized storage and protection of user data and carries out user authentication procedure. It also receives and processes the requests from client components and administrator tools. The Server presence guarantees а user that the data is available from any PC. The Server also makes it possible for administrator to configure access parameters for an employee or a group of employees, as well as to make global changes to the system.
Indeed AM Windows Logon is the client software installed onto employee workstations. Windows Logon provides for access to Windows using strong authentication technologies.
Indeed AM ESSO Agent is the client software installed onto employee workstations. The ESSO Agent intercepts application on-screen forms and provides for access to those using strong authentication technologies.
Indeed Access Manager database. The database stores system settings and reference biometric templates, used by server for user authentication.
Indeed AM log. All events that occur in the system are recorded in the Indeed AM log. The log registers the date, time, username, Active Directory account name, account name in the target system, the fact of account data usage, the fact of logon to target system etc. The log also registers the way and the type of authentication technology used by the employee to gain access to the system.
Physical access control system integration module. The module provides for interaction with physical access control system and receiving the data on the employee location.