Your company is evaluating a physical access control system (PACS) solution. As a security professional, which of the following is the weakest authentication mechanism that you won’t recommend? (Source: Wentz QOTD)
A. ID card using the default PIN code
B. Unattended iris scanning with a high FAR
C. Fingerprint scanning with the default threshold
D. Security guards conducting visual authentication
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Security guards conducting visual authentication.
The Weakest Link
The human is the weakest link in the chain of security controls. To err is human, let alone the malicious insiders who have intimate knowledge of corporate systems and infrastructure, or even privileged access.
The vulnerability is reflected and addressed in the FIPS PUB 201-2 that mandates electronic authentication over manual authentication.
The authentication mechanism that security guards conduct authentication visually is called VIS authentication, which “cannot be verified electronically and provides “LITTLE to NO” confidence in the identity of the cardholder. It should not be used when another mechanism is practical.” (NIST SP 800-116 R1)
Visual authentication entails inspection of the topographical features on the front and back of the PIV Card. The human guard checks to see that the PIV Card looks genuine, compares the cardholder’s facial features with the picture on the card, checks the expiration date printed on the card, verifies the correctness of other data elements printed on the card, and visually verifies the security feature(s) on the card.
The effectiveness of this mechanism depends on the training, skill, and diligence of the guard (to match the face in spite of changes in physical appearance – beard, mustache, hair coloring, eye glasses, etc.) – counterfeit IDs can pass visual inspections easily. Digital scanners, printers, and image editing software have made counterfeiting easier.
Moreover, the visual verification of security features does not scale well across agencies since each agency may implement different security features.
For these reasons, [FIPS201] has downgraded this authentication mechanism to indicate that it provides “LITTLE or NO” confidence in the identity of the cardholder.
Source: (NIST SP 800-116 R1)
Default PIN Code
ID card using the default PIN code is two-factor authentication. Even if it uses weak PIN code and is breached, we still have the protection by the ID card, something you have. Moreover, electronic authentication wins over manual authentication.
High FAR or Default Threshold
“Unattended iris scanning with a high FAR” and “fingerprint scanning with the default threshold” are authentication based on something you are. Because the configuration of high FAR or default threshold depends on the security requirement and control objective, high FAR and default threshold are not necessarily inapplicable. Moreover, electronic authentication wins over manual authentication.
- Homeland Security Presidential Directive 12
- FIPS PUB 201-2
- NIST SP 800-116 R1
- Card skimming
- Fake driver’s licenses flooding into US from China, other countries, US says
- This is Why The Human is the Weakest Link
您的公司正在評估一種實體存取控制系統(PACS)的解決方案。該解決方案通過非接觸式智能卡片作為ID憑證來對員工進行身份驗證。 身為安全專家，以下哪一種身份驗證機制最弱，您最不建議採用？ (來源：Wentz QOTD)
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.